Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Administrivia: List Announcement

From: Wojciech Purczynski <cliph () isec pl>
Date: Wed, 14 May 2003 14:12:54 +0200 (CEST)


        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                buf1[i] = p1[i];


Why not NULL terminate buf1?
(Again, we're not using it here anyway, but it seems silly not to.)


You missed an off-by-one bug.


        free(buf1);
        free(buf2);


Assume the user makes the malloc fail by setting nasty process limits.
Thus buf1 and buf2 don't have SIZE bytes at all, yet we copy into
the locations they would be.  Voila - overflow.

Or, since we're free'ing a memory location that was never malloc'd,
it's kind of like a double free bug (though since it was never malloc'd
properly in the first place, perhaps it needs a better name.)


In case of malloc failure you'll get NULL-pointer dereference at strncpy()
or for-loop. No overflows, no double free bugs at all (assuming you have
no memory pages mapped at 0x0 ;) )

Cheers,
wp

-- 
Wojciech Purczynski
iSEC Security Research
http://isec.pl/
Previous By Date Next
Previous By Thread Next

Current thread: