Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Administrivia: List Announcement

From: "Bernie Cosell" <bernie () fantasyfarm com>
Date: Tue, 13 May 2003 15:11:05 -0400
On 13 May 2003 at 10:25, Dave McKinney wrote:


... The basic idea is that people are presented with a
fabricated program that may have an exploitable security issue and then as
a group, we can discuss where the problem exists and what the nature of
the problem is, possibly even developing a proof-of-concept to establish
whether or not the issue is exploitable.



We'll kick this off with the first challenge, which was devised by Aaron
Adams:


I have to confess that I've not done hardly any C programming in a LOT of 
years, but there's at least one obvious problem in this little program:


        char    *buf1 = malloc(SIZE);

        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)

                      ^^^^^^^^^

                buf1[i] = p1[i];


that's clearly off by one and so the loop will run at least one char past 
the end of buf1, clobbering one byte beyond the end of the chunk of space 
that got malloc'ed for buf1.

What harm that causes is hard to evaluate, though, isn't it?  Doesn't it 
depend a lot on how a particular C compiler lays things out and how the 
libraries (in particular, malloc) work and what else the program has been 
doing?

  /Bernie\

-- 
Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie () fantasyfarm com     Pearisburg, VA
    -->  Too many people, too few sheep  <--
Previous By Date Next
Previous By Thread Next

Current thread: