RE: Administrivia: List Announcement

["Gustavo Scotti" <gscotti () axur com br>]

        strncpy(buf2, p2, SIZE);

This is not off-by-one. Strncpy doesn't zero the "string" if it's
greater than SIZE. The flaw here is the possibility to read the off
bound memory. If your printf("%s", buf2), you must see garbage after
that, until it finds a zero. But it do not cross it's malloced
boundaries.

>        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)

This is off-by-one heap overflow.


> Condition should be < SIZE. <= SIZE leads to the same vuln as above.
This 
> is also a shabby way to copy a string on architectures with a bigger
word 
> size than 8bits. The number of ops can be reduced by copying through a

> 32bit register and then using 8bits for the remaining < 4 bytes.

I don't think this is a shabby way to copy a string. An hipotetical char
= 16 bits, not even your malloc is misused, like your for is incoherent.
Yes, the correct loop would be i < SIZE. Ops can be reduced if your
compiler could optmize it. If you force an arch based optmization (like
the one you proposed), it is totally arch dependent.

Anyway, you may think copy will always have an inner loop (because the
end of string condition). Unless your processor has some kind of store
byte until byte = 0. Someone could talk about finding out how many chars
to copy, before the real copy, to solve the read/write pipeline delays.

That's all.

Gustavo Scotti
Tamandua Laboratories - Axur Information Security
http://tamandua.axur.org