Vulnerability Development mailing list archives
Re: Administrivia: List Announcement
From: Wojciech Purczynski <cliph () isec pl>
Date: Wed, 14 May 2003 14:12:54 +0200 (CEST)
for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i];Why not NULL terminate buf1? (Again, we're not using it here anyway, but it seems silly not to.)
You missed an off-by-one bug.
free(buf1); free(buf2);Assume the user makes the malloc fail by setting nasty process limits. Thus buf1 and buf2 don't have SIZE bytes at all, yet we copy into the locations they would be. Voila - overflow. Or, since we're free'ing a memory location that was never malloc'd, it's kind of like a double free bug (though since it was never malloc'd properly in the first place, perhaps it needs a better name.)
In case of malloc failure you'll get NULL-pointer dereference at strncpy() or for-loop. No overflows, no double free bugs at all (assuming you have no memory pages mapped at 0x0 ;) ) Cheers, wp -- Wojciech Purczynski iSEC Security Research http://isec.pl/
Current thread:
- Administrivia: List Announcement Dave McKinney (May 13)
- Re: Administrivia: List Announcement David Riley (May 13)
- Re: Administrivia: List Announcement Benjamin A. Okopnik (May 13)
- Re: Administrivia: List Announcement Edinelson Keiji Shimokawa (May 14)
- Re: Administrivia: List Announcement Benjamin A. Okopnik (May 13)
- Re: Administrivia: List Announcement Brian Hatch (May 13)
- Re: Administrivia: List Announcement Wojciech Purczynski (May 14)
- Re: Administrivia: List Announcement Luciano Miguel Ferreira Rocha (May 14)
- vulndev-1.c challenge (was Re: Administrivia: List Announcement) Bennett Todd (May 13)
- Re: Administrivia: List Announcement Bernie Cosell (May 13)
- Re: Administrivia: List Announcement Valdis . Kletnieks (May 15)
- partial analysis of vulndev-1.c David R. Piegdon (May 13)
- Re: partial analysis of vulndev-1.c Dana Epp (May 13)
- Re: partial analysis of vulndev-1.c master of chaos - lord of mean (May 13)
- RE: partial analysis of vulndev-1.c David Schwartz (May 13)
- Re: partial analysis of vulndev-1.c Nexus (May 14)
- Re: partial analysis of vulndev-1.c andrewg (May 13)
- Re: Administrivia: List Announcement David Riley (May 13)