On Fri, 6 Nov 1998, Jochen Thomas Bauer wrote: > The local variable "char *home", that will be filled with a pointer to a string > containing the path to the user's home directory, is declared right after the > local varibale "char buf[121]", so this pointer will be located right above the > space left for "char buf[121]" on the stack (remember, the stack grows to You've made a pretty bold assumption here on what order the compiler will decide the local variables should live on the stack. In particular, any optimization options passed to gcc will often rearrange the positions of the automatic variables. At any rate, this was pointed out in a Bugtraq posting from gutat_private dated May 31st, 1998: http://geek-girl.com/bugtraq/1998_2/0446.html > cr = strlen(buf) - 1; > if (buf[cr] == '\n') { > buf[cr] = '\0'; > } > So buf[-1] must have a value of buf[-1]=10 in order to get overwritten by NULL. Wrong. Look further down the code; there is another buf[cr] = '\0'; statement that most certainly will be executed regardless. > The pointer "char *home" has at this point already been used to construct the > full path to the .plan, .signature or .xlocktext file, and the result has already > been written to a buffer pointed to by "char *buffer". And if the author adds code at a later time which uses the *home pointer, he may have blindly created a way to modify data at God-knows-where in memory. > So, IMHO, there is no security hole created by this bug. Either way, this really isn't an issue. One bug might not look harmful, but often multiple bugs together can be. Programming flaws appearing innocent now may turn out to help create gaping security holes later. . _ _ _ _ . . _ _ . . _ _ _ . . : |-||-||<|_||\| |_|-||\/||-'|->|_-|_|_ DalTech, Halifax, NS, Canada `---------------------------------------- [http://www.biodome.org/~fx] -
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:21 PDT