Let me comment that I see two directions of analysis on the buggy-code-
scraps we might be presented to look at:
1) understanding _really_ what the problem is, and
2) investigating how the problem manifests itself in different
contexts and under different sorts of attacks.
And from our comments, I can also see that we have sort of informally
divided into those two camps: with some discussing the peculiarities of
particular library calls while others dove in right away and tried to
exploit it on various platforms.
I have to confess I'm of the former camp, and with that, I'd like to take
a step back and ask: To my view, the *ONLY* problem in that little scrap
of code is that the 'for' loop clobbered *at*most* one byte, the byte
following the malloc of buf1 -- because of the off-by-one in the for loop
end test. Were there other problems in the code besides that? [as I
mentioned, its been >20yrs since I did much/any C programming so I'm more
than a bit rusty].
The second aspect is also interesting, but to my view *separate*: if my
above analysis is correct, then the question is, "how much damage can you
cause in various operating systems and with particular C compilers if you
can clobber that one byte off the end of a malloc" [with the answer being
"a widely variable amount of damage, of course..:o)]. And I realize this
is a burden [and I'm *NOT* volunteering...:o)] but I think it'd be
helpful for us all to have a bit of a summary after the dust settles:
Linux 8.0 w/gcc does THIS
Windows with Microsoft Visual C++ does THAT
...etc...
/bernie\
--
Bernie Cosell Fantasy Farm Fibers
mailto:bernieat_private Pearisburg, VA
--> Too many people, too few sheep <--
This archive was generated by hypermail 2b30 : Thu May 15 2003 - 23:47:14 PDT