Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Format String Attacks

From: Matthias Meixner <meixner () RBG INFORMATIK TU-DARMSTADT DE>
Date: Fri, 22 Sep 2000 08:54:53 +0200
Ajax wrote:



[...]


/* init AP to the next arg we pop from the stack */
#define va_start(AP, LASTARG)                                           \
 (AP = ((__gnuc_va_list) __builtin_next_arg (LASTARG)))

/* advance the AP pointer and return the next arg */
#define va_arg(AP, TYPE)                                                \
 (AP = (__gnuc_va_list) ((char *) (AP) + __va_rounded_size (TYPE)),     \
  *((TYPE *) (void *) ((char *) (AP) - __va_rounded_size (TYPE))))

Note how this works; AP is treated as, essentially, void *AP[], an array
of pointers to arbitrary types.  This creates a natural terminating
condition, where the last element in the array is NULL (_not_ a pointer to
NULL).



Wrong. AP is not an array of pointers pointing to the arguments, but a pointer
to the beginning of the arguments on the stack. va_arg is shifting this
pointer further by the size of the object on the stack
   [(AP = (__gnuc_va_list) ((char *) (AP) + __va_rounded_size (TYPE))]
each time an argument is read.

So there is no pointer array, that could be terminated by a NULL-pointer.

- Matthias Meixner

--
Matthias Meixner                   meixner () rbg informatik tu-darmstadt de
Technische Universität Darmstadt
Rechnerbetriebsgruppe                          Telefon (+49) 6151 16 6670
Wilhelminenstraße 7, D-64283 Darmstadt, Germany    Fax (+49) 6151 16 4701
Previous By Date Next
Previous By Thread Next

Current thread: