Re: Administrivia: List Announcement

From: Valdis.Kletnieksat_private
Date: Wed May 14 2003 - 23:52:03 PDT

Next message: Jon Erickson: "Re: vulndev1.c solution (warning SPOILER)"

Previous message: Bernie Cosell: "vulndev-1 and a suggestion about the ensuing discussion"
In reply to: Bernie Cosell: "Re: Administrivia: List Announcement"
Next in thread: David R. Piegdon: "partial analysis of vulndev-1.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 13 May 2003 15:11:05 EDT, Bernie Cosell <bernieat_private>  said:

> that's clearly off by one and so the loop will run at least one char past 
> the end of buf1, clobbering one byte beyond the end of the chunk of space 
> that got malloc'ed for buf1.
> 
> What harm that causes is hard to evaluate, though, isn't it?  Doesn't it 
> depend a lot on how a particular C compiler lays things out and how the 
> libraries (in particular, malloc) work and what else the program has been 
> doing?

Amazingly enough, the hole in XNTPD a while back was just this - a one byte
overflow.  It was possible to leverage that into a complete remote exploit.

application/pgp-signature attachment: stored

Next message: Jon Erickson: "Re: vulndev1.c solution (warning SPOILER)"
Previous message: Bernie Cosell: "vulndev-1 and a suggestion about the ensuing discussion"
In reply to: Bernie Cosell: "Re: Administrivia: List Announcement"
Next in thread: David R. Piegdon: "partial analysis of vulndev-1.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 16 2003 - 00:38:23 PDT