vulndev-1 and a suggestion about the ensuing discussion

Let me comment that I see two directions of analysis on the buggy-code- scraps we might be presented to look at:

1. understanding _really_ what the problem is, and
2. investigating how the problem manifests itself in different contexts and under different sorts of attacks.

And from our comments, I can also see that we have sort of informally divided into those two camps: with some discussing the peculiarities of particular library calls while others dove in right away and tried to exploit it on various platforms.

I have to confess I'm of the former camp, and with that, I'd like to take a step back and ask: To my view, the *ONLY* problem in that little scrap of code is that the 'for' loop clobbered *at*most* one byte, the byte following the malloc of buf1 -- because of the off-by-one in the for loop end test. Were there other problems in the code besides that? [as I mentioned, its been >20yrs since I did much/any C programming so I'm more than a bit rusty].

The second aspect is also interesting, but to my view *separate*: if my above analysis is correct, then the question is, "how much damage can you cause in various operating systems and with particular C compilers if you can clobber that one byte off the end of a malloc" [with the answer being "a widely variable amount of damage, of course..:o)]. And I realize this is a burden [and I'm *NOT* volunteering...:o)] but I think it'd be helpful for us all to have a bit of a summary after the dust settles:

    Linux 8.0 w/gcc does THIS
    Windows with Microsoft Visual C++ does THAT      ...etc...

  /bernie\

-- 
Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie@fantasyfarm.com     Pearisburg, VA

    -->  Too many people, too few sheep  <--