On 13 May 2003 at 10:25, Dave McKinney wrote: > ... The basic idea is that people are presented with a > fabricated program that may have an exploitable security issue and then as > a group, we can discuss where the problem exists and what the nature of > the problem is, possibly even developing a proof-of-concept to establish > whether or not the issue is exploitable. > We'll kick this off with the first challenge, which was devised by Aaron > Adams: I have to confess that I've not done hardly any C programming in a LOT of years, but there's at least one obvious problem in this little program: > char *buf1 = malloc(SIZE); > > for (i = 0; i <= SIZE && p1[i] != '\0'; i++) ^^^^^^^^^ > buf1[i] = p1[i]; that's clearly off by one and so the loop will run at least one char past the end of buf1, clobbering one byte beyond the end of the chunk of space that got malloc'ed for buf1. What harm that causes is hard to evaluate, though, isn't it? Doesn't it depend a lot on how a particular C compiler lays things out and how the libraries (in particular, malloc) work and what else the program has been doing? /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:bernieat_private Pearisburg, VA --> Too many people, too few sheep <--
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 15:16:06 PDT