vulndev-1 and a suggestion about the ensuing discussion

["Bernie Cosell" <bernie () fantasyfarm com>]

Let me comment that I see two directions of analysis on the buggy-code-
scraps we might be presented to look at:
  1) understanding _really_ what the problem is, and
  2) investigating how the problem manifests itself in different
      contexts and under different sorts of attacks.

And from our comments, I can also see that we have sort of informally 
divided into those two camps: with some discussing the peculiarities of 
particular library calls while others dove in right away and tried to 
exploit it on various platforms.

I have to confess I'm of the former camp, and with that, I'd like to take 
a step back and ask:  To my view, the *ONLY* problem in that little scrap 
of code is that the 'for' loop clobbered *at*most* one byte, the byte 
following the malloc of buf1 -- because of the off-by-one in the for loop 
end test.  Were there other problems in the code besides that?  [as I 
mentioned, its been >20yrs since I did much/any C programming so I'm more 
than a bit rusty].

The second aspect is also interesting, but to my view *separate*: if my 
above analysis is correct, then the question is, "how much damage can you 
cause in various operating systems and with particular C compilers if you 
can clobber that one byte off the end of a malloc" [with the answer being 
"a widely variable amount of damage, of course..:o)].  And I realize this 
is a burden [and I'm *NOT* volunteering...:o)] but I think it'd be 
helpful for us all to have a bit of a summary after the dust settles:
    Linux 8.0 w/gcc does THIS
    Windows with Microsoft Visual C++ does THAT
     ...etc...

  /bernie\

-- 
Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie () fantasyfarm com     Pearisburg, VA
    -->  Too many people, too few sheep  <--