Vulnerability Development mailing list archives

Re: memcpy with negative length and destination on heap - exploitable?

From: dullien () gmx de
Date: Wed, 26 Dec 2001 07:13:30 -0800

Hey 3APA3A,

3>   Theoretically,  are  there  are  any situations, then it's possible to
3>   exploit this kind of bug:
3>    char src[FEW * KB_OF_DATA], * dst;
3>    get_user_input(src, sizeof(src));
3>    len = src[POSITION]; /* char is signed and can be negative! */
3>    dst = malloc(256);
3>    memcpy(dst, src + POSITION + 1, len);
3>    len  is too long then converted to size_t and memcpy will crash... Is
3>    it  possible to avoid it if destination buffer is on heap? Program is
3>    available on all possible platforms :)

Normally, no -- unless of course the application handle's it's own
segfault and issues either a malloc() or a free() on the corrupted
heap.
If it happens on the stack (under NT), you might be able to overwrite
SEH structures before segfaulting and thus gain control.

Auditing ISC code, eh ? ;)

Cheers,
dullien () gmx de


-- 
Mit freundlichen Grüssen
dullien () gmx de                            mailto:dullien () gmx de

Current thread:

memcpy with negative length and destination on heap - exploitable? 3APA3A (Dec 24)
- Re: memcpy with negative length and destination on heap - exploitable? dullien (Dec 26)
  - Re[2]: memcpy with negative length and destination on heap - exploitable? 3APA3A (Dec 26)
- Re: memcpy with negative length and destination on heap - exploitable? Pavel Kankovsky (Dec 26)