On Tuesday, May 13, 2003, at 12:25 PM, Dave McKinney wrote: > We'll kick this off with the first challenge, which was devised by > Aaron > Adams: > > > // vulndev-1.c > // vuln-dev mailing list security challenge #1 > // by Aaron Adams <aadamsat_private> > // Spot the error in this program. > > #include <stdio.h> > #include <stdlib.h> > > #define SIZE 252 > > int > main(int argc, char *argv[]) > { > int i; > char *p1, *p2; > char *buf1 = malloc(SIZE); > char *buf2 = malloc(SIZE); > > if (argc != 3) > exit(1); > > p1 = argv[1], p2 = argv[2]; > strncpy(buf2, p2, SIZE); > for (i = 0; i <= SIZE && p1[i] != '\0'; i++) > buf1[i] = p1[i]; > > free(buf1); > free(buf2); > > return 0; > } I'll start by saying that I like this idea... it'll give me a chance to brush up on my skills in this area. Now, the only error I see in this program is that the for() loop checks for i <= SIZE rather than i < SIZE. However, this doesn't seem to affect much... when I run the compiled program on my OS X machine with these args: ./vuln `perl -e 'print "a" x 2000'` `perl -e 'print "b" x 2000'` It exits cleanly. I imagine that it might overwrite a byte somewhere, but it's not really doing much for me. Thanks, and great idea, David
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 15:06:33 PDT