<snip snip> The most common way of passing parameters in ActiveX controls is through BSTRs, which include the size of the string in their first character. There's no way to overflow a BSTR. The buffer overflows you discovered arise from a situation where the programmer extracted the buffer from the BSTR, and put it into a simple character array of the form: char[256], without bothering to check if the fixed size of the character array is large enough to hold the string. The COM architecture has nothing to do with this buffer overflow (on the contrary: it makes it very difficult for programmers to create buffer overflows. But I guess some are talented enough to bypass this difficulty ;-) ) ------------------------- Aviram Jenik As my understanding goes, a BSTR is simply a 32bit pointer to a character array? The pointer points to the character array, in which the character array holds the length and the string it self. Sure using COM wrappers in may not be able to perform a buffer overflow. But what happens if you could set the pointer to write to the beginning of the array and change the size. That way when you perform a BSTR or _bstr_t method on the object, you could in theory create a buffer overflow problem. It's just that COM wraps all the pointer stuff and just lets us get on with the more interesting stuff, I am sure that a buffer overflow could occur, whether it could be used for a breech of security is something that may need further research in to. What COM does is hide the intrinsic nature of pointers for strings. So not using them, obviously can "prevent" an overflow. However, I would not bet my last i386 processor on it! Richard Scott (I.S.) E-Commerce Team *Tel: 001-(612)-995-5432 * Fax: 001-(612)-947-2005 * Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA This '|' is not a pipe
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:50 PDT