FW: partial analysis of vulndev-1.c

[Michael Wojcik <Michael.Wojcik () microfocus com>]

[Sent this to the OP rather than the list.  I'm sure there's a compelling
reason for not setting Reply-to to the list, but it's damn annoying all the
same.]

> From: Michael Wojcik 
> Sent: Wednesday, May 14, 2003 10:14 AM
> To: 'David R. Piegdon'
> Subject: RE: partial analysis of vulndev-1.c
>
>
> > From: David R. Piegdon [mailto:fleshyCPU () gmx net] 
> > Sent: Tuesday, May 13, 2003 2:35 PM
>
> > first thing :)
> > as far as i know, in PLAIN C a function call is not allowed
> > during the definition of a variable
> > { char    *buf1 = malloc(SIZE); }
> > but in C++, it is allowed.
>
> It's permitted in C as well, since at least the 1989 ANSI C 
> standard, for variables with automatic storage.  See eg ISO 
> 9899-1990 6.5.7.
>
> > [1]  {  strncpy(buf2, p2, SIZE);  }
> > and
> > [2]  {  for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] 
> > = p1[i];   }
> >
> > it is obvious that [1] will always copy SIZE chars.
>
> Not if strlen(p2) is well-defined and < SIZE.
>
> > 2. a buffer overflow, if strlen(p1) >= SIZE.
> > actually my gcc-compiled version does not catch this one with 
> > a SIGSEGV, but i don't know why.
>
> Don't count on receiving SIGSEGV just because you overrun a 
> buffer.  Typical virtual-memory architecture operates on 
> chunks of memory called "pages"; 4KB is a typical page size.  
> The program won't cause a violation unless it tries to touch 
> a page it doesn't own.  In this case, you overran the buffer, 
> but not far enough to get to a page you hadn't allocated.
>
> Michael Wojcik
> Principal Software Systems Developer, Micro Focus