Comments on: Spot the Overflow

By: Brad Singletary

Brad Singletary — Thu, 15 May 2008 20:29:20 +0000

A better error for both examples is not checking that the new returns non-zero… You can force allocation to fail momentarily on some platforms.

Probably another if buf has no terminator. Incidental to not understanding the intent of foo.

If you consider the platform a microcontroller, you may have other problems too… incidental to not understanding the architecture.

By: mike

mike — Thu, 08 May 2008 16:09:07 +0000

There is an integer overflow in the “new char[strlen(buf) + 1]” statement and then a heap overflow in “strcat(myArray, buf)” after you have overflowed the malloc.

By: codewookie

codewookie — Tue, 06 May 2008 22:01:09 +0000

neat. malloc(0).

By: Kevin Lackey

Kevin Lackey — Mon, 05 May 2008 15:43:18 +0000

Visitor has it right. Off by one heap error. Good description of this exploit seen at: http://www.derkeiler.com/Mailing-Lists/Securiteam/2003-06/0070.html . And yes, this is a construed example.

So let’s say the programmer had been a little more careful and done the following:
void foo(char *buf) { char *myArray;


myArray = new char[strlen(buf) + 1];

memset(myArray, 0, strlen(buf) + 1);

strcat(myArray, buf);
.

.

.

//do something intersting here with the buffer

.

.

.
}

Now where is the overflow?

Kevin

By: Jake Brodsky

Jake Brodsky — Sun, 04 May 2008 13:59:13 +0000

I usually look for fencepost errors whenever manipulating strings. Errors like this and many more are often found in that lovely book, C Traps and Pitfalls.

By: visitor

visitor — Fri, 02 May 2008 21:09:13 +0000

strlen() doesn’t include the terminating NULL character in the size returned. The buffer is too short, and strcat will always write a NULL past its end.

Hopefully this is a constructed example, because the reasonable way to do this is with strdup()!

By: Matthew Franz

Matthew Franz — Fri, 02 May 2008 20:45:39 +0000

TGIF for you then, right?

(Snarky “SCADA Time Warp comment deleted here)