If I supply an argv[1] of > 252 bytes, then byte 253 may (depending on many factors) overwrite the first byte of buf2. This is going to be (I think) part of the size of the malloc'd buf2. What interesting things can happen when you then free() an incorrectly-sized buf2 (or otherwise operate on buf2 if this were a real program) is something I am anxious to learn from others on this list! Cameron -----Original Message----- From: Dave McKinney [mailto:dmat_private] Sent: Tuesday, May 13, 2003 9:25 AM To: vuln-devat_private Subject: Administrivia: List Announcement We'll kick this off with the first challenge, which was devised by Aaron Adams: // vulndev-1.c // vuln-dev mailing list security challenge #1 // by Aaron Adams <aadamsat_private> // Spot the error in this program. #include <stdio.h> #include <stdlib.h> #define SIZE 252 int main(int argc, char *argv[]) { int i; char *p1, *p2; char *buf1 = malloc(SIZE); char *buf2 = malloc(SIZE); if (argc != 3) exit(1); p1 = argv[1], p2 = argv[2]; strncpy(buf2, p2, SIZE); for (i = 0; i <= SIZE && p1[i] != '\0'; i++) buf1[i] = p1[i]; free(buf1); free(buf2); return 0; } Dave McKinney Symantec keyID: BF919DD7 key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 15:43:29 PDT