Vulnerability Development mailing list archives
Re: memcpy with negative length and destination on heap - exploitable?
From: dullien () gmx de
Date: Wed, 26 Dec 2001 07:13:30 -0800
Hey 3APA3A, 3> Theoretically, are there are any situations, then it's possible to 3> exploit this kind of bug: 3> char src[FEW * KB_OF_DATA], * dst; 3> get_user_input(src, sizeof(src)); 3> len = src[POSITION]; /* char is signed and can be negative! */ 3> dst = malloc(256); 3> memcpy(dst, src + POSITION + 1, len); 3> len is too long then converted to size_t and memcpy will crash... Is 3> it possible to avoid it if destination buffer is on heap? Program is 3> available on all possible platforms :) Normally, no -- unless of course the application handle's it's own segfault and issues either a malloc() or a free() on the corrupted heap. If it happens on the stack (under NT), you might be able to overwrite SEH structures before segfaulting and thus gain control. Auditing ISC code, eh ? ;) Cheers, dullien () gmx de -- Mit freundlichen GrĂ¼ssen dullien () gmx de mailto:dullien () gmx de
Current thread:
- memcpy with negative length and destination on heap - exploitable? 3APA3A (Dec 24)
- Re: memcpy with negative length and destination on heap - exploitable? dullien (Dec 26)
- Re: memcpy with negative length and destination on heap - exploitable? Pavel Kankovsky (Dec 26)