>--=-WvvohHuyGg8bTtf96u13 >Content-Type: text/plain >Content-Transfer-Encoding: quoted-printable > >On Mon, 2002-11-18 at 17:10, Andrew Griffiths wrote: > >> Another thing to use is consistency, for example, >> >> char dst[50]; >> strncpy(dst, user_supplied_data, sizeof(dst)); >> strncat(dst, sizeof(dst) - strlen(dst) -1, moreuserdata); >> >> This could be exploitable if user_supplied_data is 50 or more bytes long. >> >> In specific, >> >> 50 - 50 - 1 == -1 > >If sizeof(dst) is 50, then a 0 terminated string is is 49 chars long >(len(dst) is 49). That means we've got 50-49-1 = 0 which is correct as >there is no room left in dst. "strncpy" doesn't NUL terminate, so the strlen() in the above code can return any value, including values *over* 50. Since the "n" argument to strncat (which, incidentally, is the 3rd, not 2nd argument), is unsigned, that would mean unlimited copying. >Of course in your example you allow dst to overflow in the strncpy. >Using > strncpy(dst, user_supplied_data, sizeof(dst)-1); >would have prevented that if my math is correct. As long as you NUL terminated the string. Casper
This archive was generated by hypermail 2b30 : Sun Mar 23 2003 - 08:37:33 PST