Re: Administrivia: List Announcement

On Tue, May 13, 2003 at 01:36:24PM -0400, David Riley wrote:
> On Tuesday, May 13, 2003, at 12:25 PM, Dave McKinney wrote:

[ snip ]

> I'll start by saying that I like this idea... it'll give me a chance to

It "works" for me on a Debian Linux box:

ben@Fenrir:/tmp$ ./vulndev-1 `perl -we'print "A" x 253'` a Segmentation fault

Note that it does _not_ crash in the reverse case (large argv[2]), although I'm not sure why. However, this might be indicative (pardon my rusty-as-can-be C skills):

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define SIZE 252

int
main(int argc, char *argv[])
{

        int     i, l1, l2, s1, s2;
        char    *p1, *p2;
        char    *buf1 = malloc(SIZE);
        char    *buf2 = malloc(SIZE);

        if (argc != 3)
                exit(1);

        p1 = argv[1], p2 = argv[2];
        strncpy(buf2, p2, SIZE);
        for (i = 0; i <= SIZE && p1[i] != '\0'; i++)
                buf1[i] = p1[i];
	l1 = strlen(p1);
	s1 = sizeof(p1);
	l2 = strlen(p2);
	s2 = sizeof(p2);

        free(buf1);
        free(buf2);

	printf("strlen1: %i sizeof1: %i\n", l1, s1);
	printf("strlen2: %i sizeof2: %i\n", l2, s2);
	
        return 0;

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Now, note the output of this:

ben@Fenrir:/tmp/vuln-dev$ ./tst `perl -we'print "A" x 252'` a strlen1: 252 sizeof1: 4
strlen2: 1 sizeof2: 4
ben@Fenrir:/tmp/vuln-dev$ ./tst `perl -we'print "A" x 253'` a Segmentation fault
ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 253'` strlen1: 1 sizeof1: 4
strlen2: 253 sizeof2: 4
ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 300'` strlen1: 1 sizeof1: 4
strlen2: 300 sizeof2: 4
ben@Fenrir:/tmp/vuln-dev$ ./tst a `perl -we'print "A" x 1000'` strlen1: 1 sizeof1: 4
strlen2: 1000 sizeof2: 4

Seems like "argv[2]" is copied no matter what the "strncpy"'s SIZE is. Hmm. Anybody have an idea?

Ben Okopnik
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The reason the government thinks you're just a number   is because it's just a machine. Received on Wed May 14 00:38:30 2003