--==_Exmh_-15157014P Content-Type: text/plain; charset=us-ascii On Mon, 04 May 1998 11:06:05 +0200, you said: > xc/programs/xterm/charproc.c: > * HandleKeymapChange(): > > (void) sprintf( mapName, "%sKeymap", params[0] ); > (void) strcpy( mapClass, mapName ); > > (actually, the second command is mostly harmless because the size of > mapName and mapClass is the same) Actually, not necessarily. It's "mostly harmless" if in addition to the sizes being the same, you can "prove" in the program-correctness sense that the source will be null-terminated at the appropriate place. Think. if they just overflowed mapName via sprintf, then they can ALSO overflow mapClass. And it's quite possible that mapClass is the array that you need to overflow to create the exploit (mapName possibly being at an inconvenient location in memory...) This of course as just a "general guideline" - an actual examination of the source is required. I'm just pointing out that "they're the same size" is not always enough.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech --==_Exmh_-15157014P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBNU3RJ9QBOOoptg9JAQGqEAP/dIjBJQ2ID9S3KMK7pQfmgTqXoyzcfBl9 uOAIWIxax2m0nvvJKQ2gVoHPKvpygbQyb7AqlSBC/+uXP5aGvU1Qo3lnECCj8WmU iG54syYzalg5vuXIM0tngSLTWB3GoiV8UBOrsMcHvhf1QmJ61JxX6S4ZGxi4yHFn woZXJrYjlT8= =dQ2I -----END PGP MESSAGE----- --==_Exmh_-15157014P--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:09 PDT