Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Administrivia: List Announcement

From: "Cameron Brown" <cameron () greyzone com>
Date: Tue, 13 May 2003 15:36:39 -0700

If I supply an argv[1] of > 252 bytes, then byte 253 may (depending on
many factors) overwrite the first byte of buf2.  This is going to be (I
think) part of the size of the malloc'd buf2.  What interesting things
can happen when you then free() an incorrectly-sized buf2 (or otherwise
operate on buf2 if this were a real program) is something I am anxious
to learn from others on this list!

Cameron

-----Original Message-----
From: Dave McKinney [mailto:dm () securityfocus com] 
Sent: Tuesday, May 13, 2003 9:25 AM
To: vuln-dev () securityfocus com
Subject: Administrivia: List Announcement


We'll kick this off with the first challenge, which was devised by Aaron
Adams:


// vulndev-1.c
// vuln-dev mailing list security challenge #1
// by Aaron Adams <aadams () securityfocus com>
// Spot the error in this program.

#include <stdio.h>
#include <stdlib.h>

#define SIZE    252

int
main(int argc, char *argv[])
{
        int     i;
        char    *p1, *p2;
        char    *buf1 = malloc(SIZE);
        char    *buf2 = malloc(SIZE);

        if (argc != 3)
                exit(1);

        p1 = argv[1], p2 = argv[2];
        strncpy(buf2, p2, SIZE);
        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                buf1[i] = p1[i];

        free(buf1);
        free(buf2);

        return 0;
}


Dave McKinney
Symantec

keyID: BF919DD7
key fingerprint = 494D 6B7D 4611 7A7A 5DBB  3B29 4D89 3A70 BF91 9DD7
Previous By Date Next
Previous By Thread Next

Current thread: