|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: Administrivia: List Announcement
Date: Tue May 13 2003 - 18:36:39 EDT
If I supply an argv[1] of > 252 bytes, then byte 253 may (depending on many factors) overwrite the first byte of buf2. This is going to be (I think) part of the size of the malloc'd buf2. What interesting things can happen when you then free() an incorrectly-sized buf2 (or otherwise operate on buf2 if this were a real program) is something I am anxious to learn from others on this list!
Cameron
-----Original Message-----
From: Dave McKinney [mailto:dm@securityfocus.com]
Sent: Tuesday, May 13, 2003 9:25 AM
To: vuln-dev@securityfocus.com
Subject: Administrivia: List Announcement
We'll kick this off with the first challenge, which was devised by Aaron Adams:
// vulndev-1.c
// vuln-dev mailing list security challenge #1
#include <stdio.h>
#include <stdlib.h>
#define SIZE 252
int
main(int argc, char *argv[])
{
int i;
char *p1, *p2;
char *buf1 = malloc(SIZE);
char *buf2 = malloc(SIZE);
if (argc != 3)
exit(1);
p1 = argv[1], p2 = argv[2];
strncpy(buf2, p2, SIZE);
for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
buf1[i] = p1[i];
free(buf1);
free(buf2);
return 0;
}
Dave McKinney
Symantec
keyID: BF919DD7
key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7
Received on Tue May 13 18:43:51 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |