True, and a very good point. Need to manually add a NULL as the last character for both buffers. In fact, will the for-loop copy ever NULL terminate the string? Glancing at it again, it doesn't seem so. ~ol > -----Original Message----- > From: Shafik Yaghmour [mailto:subsat_private] > Sent: May 13, 2003 3:22 PM > To: xenophi1e > Cc: vuln-devat_private > Subject: Re: Administrivia: List Announcement > > > On 13 May 2003, xenophi1e wrote: > > > >We'll kick this off with the first challenge, which was devised by > > >Aaron > > >Adams: > > > > > > strncpy(buf2, p2, SIZE); > > > > Off-by-one. Third arg should be SIZE-1 to leave room for the > > terminating > > NULL. This error should lead to a heap based vulnerability when the > > memory is free()d. > > You are assuming there is a terminating NULL, there may not be. > Although in this example it does not make a difference, but in a real > world program it would probably be bad. > > Take care > > -- > Those who dream by day are cognizant of many things which > escape those who dream only by night. -Edgar Allan Poe > >
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 15:18:49 PDT