On Tue, 13 May 2003 15:11:05 EDT, Bernie Cosell <bernieat_private> said: > that's clearly off by one and so the loop will run at least one char past > the end of buf1, clobbering one byte beyond the end of the chunk of space > that got malloc'ed for buf1. > > What harm that causes is hard to evaluate, though, isn't it? Doesn't it > depend a lot on how a particular C compiler lays things out and how the > libraries (in particular, malloc) work and what else the program has been > doing? Amazingly enough, the hole in XNTPD a while back was just this - a one byte overflow. It was possible to leverage that into a complete remote exploit.
This archive was generated by hypermail 2b30 : Fri May 16 2003 - 00:38:23 PDT