Let me comment that I see two directions of analysis on the buggy-code- scraps we might be presented to look at: 1) understanding _really_ what the problem is, and 2) investigating how the problem manifests itself in different contexts and under different sorts of attacks. And from our comments, I can also see that we have sort of informally divided into those two camps: with some discussing the peculiarities of particular library calls while others dove in right away and tried to exploit it on various platforms. I have to confess I'm of the former camp, and with that, I'd like to take a step back and ask: To my view, the *ONLY* problem in that little scrap of code is that the 'for' loop clobbered *at*most* one byte, the byte following the malloc of buf1 -- because of the off-by-one in the for loop end test. Were there other problems in the code besides that? [as I mentioned, its been >20yrs since I did much/any C programming so I'm more than a bit rusty]. The second aspect is also interesting, but to my view *separate*: if my above analysis is correct, then the question is, "how much damage can you cause in various operating systems and with particular C compilers if you can clobber that one byte off the end of a malloc" [with the answer being "a widely variable amount of damage, of course..:o)]. And I realize this is a burden [and I'm *NOT* volunteering...:o)] but I think it'd be helpful for us all to have a bit of a summary after the dust settles: Linux 8.0 w/gcc does THIS Windows with Microsoft Visual C++ does THAT ...etc... /bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:bernieat_private Pearisburg, VA --> Too many people, too few sheep <--
This archive was generated by hypermail 2b30 : Thu May 15 2003 - 23:47:14 PDT