Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: some things to play with

From: typo () SCENE AT (Firstname Lastname)
Date: Fri, 14 Jul 2000 13:16:34 +0200

<rant>
im really annoyed now.. can't people just shut up when they don't know
what they're talking about?
</rant>

On Fri, Jul 14, 2000 at 01:08:01PM +0400, Vladimir Dubrovin wrote:

It's just a buggy code of 2b.c. It must be:


no it's not.. i can be sure that argv[2] == NULL when argc = 2,
which gives argc=0 to the called program, with argv[0] == NULL
and a null pointer dereference in strrchr().

no, this isn't exploitable. yes, it yields unexpected behaviour in
some other programs... yes argv[0] needs a lot more checking in security
aware programs.

--- snip from another mail from me to another list ---
the problem is present in strrchr.S in glibc (at least in sysdeps/i386):

L(19):  movl (%esi), %edx       /* get word (= 4 bytes) in question */

with %esi being 0x00000000.

im not sure if it's correct to blame it on libc, but an additional check
won't hurt.. my patched tesolibc(which includes various other security patches)
has this check in sysdeps/i386/strrchr.S:

        movl 12(%esp), %esi     /* get string pointer */
        movl 16(%esp), %ecx     /* get character we are looking for */

+       orl %esi, %esi
+       jz L(2)

---

--
so much entropy, so little time
Previous By Date Next
Previous By Thread Next

Current thread: