On Mon, 2002-11-18 at 17:10, Andrew Griffiths wrote:
> Another thing to use is consistency, for example,
>
> char dst[50];
> strncpy(dst, user_supplied_data, sizeof(dst));
> strncat(dst, sizeof(dst) - strlen(dst) -1, moreuserdata);
>
> This could be exploitable if user_supplied_data is 50 or more bytes long.
>
> In specific,
>
> 50 - 50 - 1 == -1
If sizeof(dst) is 50, then a 0 terminated string is is 49 chars long
(len(dst) is 49). That means we've got 50-49-1 = 0 which is correct as
there is no room left in dst.
Of course in your example you allow dst to overflow in the strncpy.
Using
strncpy(dst, user_supplied_data, sizeof(dst)-1);
would have prevented that if my math is correct.
> Another thing to use is consistency, for example,
>
> char dst[50];
> strncpy(dst, user_supplied_data, sizeof(dst));
> strncat(dst, sizeof(dst) - strlen(dst) -1, moreuserdata);
>
> This could be exploitable if user_supplied_data is 50 or more bytes long.
>
> In specific,
>
> 50 - 50 - 1 == -1
If sizeof(dst) is 50, then a 0 terminated string is is 49 chars long
(len(dst) is 49). That means we've got 50-49-1 = 0 which is correct as
there is no room left in dst.
Of course in your example you allow dst to overflow in the strncpy.
Using
strncpy(dst, user_supplied_data, sizeof(dst)-1);
would have prevented that if my math is correct.
Frank
[ reply ]