('binary' encoding is not supported, stored as-is) In-Reply-To: <Pine.LNX.4.55.0305131019280.11354at_private> This is a very good idea. This mailinglist is a good resource, but it could be a little more 'fun'... I'll take a whack. > >We'll kick this off with the first challenge, which was devised by Aaron >Adams: > > strncpy(buf2, p2, SIZE); Off-by-one. Third arg should be SIZE-1 to leave room for the terminating NULL. This error should lead to a heap based vulnerability when the memory is free()d. > for (i = 0; i <= SIZE && p1[i] != '\0'; i++) Condition should be < SIZE. <= SIZE leads to the same vuln as above. This is also a shabby way to copy a string on architectures with a bigger word size than 8bits. The number of ops can be reduced by copying through a 32bit register and then using 8bits for the remaining < 4 bytes. Cheers, ~ol
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 12:29:42 PDT