Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Administrivia: List Announcement

From: xenophi1e <oliver.lavery () sympatico ca>
Date: 13 May 2003 17:06:32 -0000
In-Reply-To: <Pine.LNX.4.55.0305131019280.11354 () mail securityfocus com>


This is a very good idea. This mailinglist is a good resource, but it 
could be a little more 'fun'...

I'll take a whack.



We'll kick this off with the first challenge, which was devised by Aaron
Adams:

       strncpy(buf2, p2, SIZE);


Off-by-one. Third arg should be SIZE-1 to leave room for the terminating 
NULL. This error should lead to a heap based vulnerability when the 
memory is free()d.


       for (i = 0; i <= SIZE && p1[i] != '\0'; i++)


Condition should be < SIZE. <= SIZE leads to the same vuln as above. This 
is also a shabby way to copy a string on architectures with a bigger word 
size than 8bits. The number of ops can be reduced by copying through a 
32bit register and then using 8bits for the remaining < 4 bytes.

Cheers,
~ol
Previous By Date Next
Previous By Thread Next

Current thread: