Vulnerability Development mailing list archives
Re[2]: memcpy with negative length and destination on heap - exploitable?
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 26 Dec 2001 22:02:18 +0300
Hello dullien, --Wednesday, December 26, 2001, 6:13:30 PM, you wrote to 3APA3A () SECURITY NNOV RU: 3>> memcpy(dst, src + POSITION + 1, len); len is too long then 3>> converted to size_t and memcpy will crash... Is it possible to 3>> avoid it if destination buffer is on heap? Program is available 3>> on all possible platforms :) dgd> If it happens on the stack (under NT), you might be able to dgd> overwrite SEH structures before segfaulting and thus gain control. If it happens on the stack it may be possible to overwrite 'len' argument with any desired value. If memcpy() doesn't use register copy of len (for example one from libuucp) it makes it possible to exploit it. -- ~/ZARAZA Èáî ôàêòû åñòü ôàêòû, è èçëîæåíû îíè ëèøü äëÿ òîãî, ÷òîáû èõ ïîíÿëè è â íèõ ïîâåðèëè. (Òâåí)
Current thread:
- memcpy with negative length and destination on heap - exploitable? 3APA3A (Dec 24)
- Re: memcpy with negative length and destination on heap - exploitable? dullien (Dec 26)
- Re[2]: memcpy with negative length and destination on heap - exploitable? 3APA3A (Dec 26)
- Re: memcpy with negative length and destination on heap - exploitable? Pavel Kankovsky (Dec 26)
- Re: memcpy with negative length and destination on heap - exploitable? dullien (Dec 26)