> > for (i = 0; i <= SIZE && p1[i] != '\0'; i++) > > buf1[i] = p1[i]; > > Why not NULL terminate buf1? > (Again, we're not using it here anyway, but it seems silly not to.) You missed an off-by-one bug. > > free(buf1); > > free(buf2); > > Assume the user makes the malloc fail by setting nasty process limits. > Thus buf1 and buf2 don't have SIZE bytes at all, yet we copy into > the locations they would be. Voila - overflow. > > Or, since we're free'ing a memory location that was never malloc'd, > it's kind of like a double free bug (though since it was never malloc'd > properly in the first place, perhaps it needs a better name.) In case of malloc failure you'll get NULL-pointer dereference at strncpy() or for-loop. No overflows, no double free bugs at all (assuming you have no memory pages mapped at 0x0 ;) ) Cheers, wp -- Wojciech Purczynski iSEC Security Research http://isec.pl/
This archive was generated by hypermail 2b30 : Wed May 14 2003 - 08:31:52 PDT