Re: Administrivia: List Announcement

[David Riley <oscar () the-rileys net>]

On Tuesday, May 13, 2003, at 12:25 PM, Dave McKinney wrote:

> We'll kick this off with the first challenge, which was devised by 
> Aaron
> Adams:
>
>
> // vulndev-1.c
> // vuln-dev mailing list security challenge #1
> // by Aaron Adams <aadams () securityfocus com>
> // Spot the error in this program.
>
> #include <stdio.h>
> #include <stdlib.h>
>
> #define SIZE    252
>
> int
> main(int argc, char *argv[])
> {
>         int     i;
>         char    *p1, *p2;
>         char    *buf1 = malloc(SIZE);
>         char    *buf2 = malloc(SIZE);
>
>         if (argc != 3)
>                 exit(1);
>
>         p1 = argv[1], p2 = argv[2];
>         strncpy(buf2, p2, SIZE);
>         for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
>                 buf1[i] = p1[i];
>
>         free(buf1);
>         free(buf2);
>
>         return 0;
> }

I'll start by saying that I like this idea... it'll give me a chance to 
brush up on my skills in this area.

Now, the only error I see in this program is that the for() loop checks 
for i <= SIZE rather than i < SIZE.  However, this doesn't seem to 
affect much... when I run the compiled program on my OS X machine with 
these args:

./vuln `perl -e 'print "a" x 2000'` `perl -e 'print "b" x 2000'`

It exits cleanly.  I imagine that it might overwrite a byte somewhere, 
but it's not really doing much for me.

Thanks, and great idea,
        David