Comment from Matthew Franz
Time: May 2, 2008, 4:45 pm

TGIF for you then, right?

(Snarky “SCADA Time Warp comment deleted here)

Comment from visitor
Time: May 2, 2008, 5:09 pm

strlen() doesn’t include the terminating NULL character in the size returned. The buffer is too short, and strcat will always write a NULL past its end.

Hopefully this is a constructed example, because the reasonable way to do this is with strdup()!

Comment from Jake Brodsky
Time: May 4, 2008, 9:59 am

I usually look for fencepost errors whenever manipulating strings. Errors like this and many more are often found in that lovely book, C Traps and Pitfalls.

Comment from Kevin Lackey
Time: May 5, 2008, 11:43 am

Visitor has it right. Off by one heap error. Good description of this exploit seen at: http://www.derkeiler.com/Mailing-Lists/Securiteam/2003-06/0070.html . And yes, this is a construed example.

So let’s say the programmer had been a little more careful and done the following:

void foo(char *buf)
{
char *myArray;

Now where is the overflow?

Kevin

Comment from codewookie
Time: May 6, 2008, 6:01 pm

neat. malloc(0).

Comment from mike
Time: May 8, 2008, 12:09 pm

There is an integer overflow in the “new char[strlen(buf) + 1]” statement and then a heap overflow in “strcat(myArray, buf)” after you have overflowed the malloc.

Comment from Brad Singletary
Time: May 15, 2008, 4:29 pm

A better error for both examples is not checking that the new returns non-zero… You can force allocation to fail momentarily on some platforms.

Probably another if buf has no terminator. Incidental to not understanding the intent of foo.

If you consider the platform a microcontroller, you may have other problems too… incidental to not understanding the architecture.