Bugtraq mailing list archives
Re: Format String Attacks
From: Matthias Meixner <meixner () RBG INFORMATIK TU-DARMSTADT DE>
Date: Fri, 22 Sep 2000 08:54:53 +0200
Ajax wrote:
[...]
/* init AP to the next arg we pop from the stack */ #define va_start(AP, LASTARG) \ (AP = ((__gnuc_va_list) __builtin_next_arg (LASTARG))) /* advance the AP pointer and return the next arg */ #define va_arg(AP, TYPE) \ (AP = (__gnuc_va_list) ((char *) (AP) + __va_rounded_size (TYPE)), \ *((TYPE *) (void *) ((char *) (AP) - __va_rounded_size (TYPE)))) Note how this works; AP is treated as, essentially, void *AP[], an array of pointers to arbitrary types. This creates a natural terminating condition, where the last element in the array is NULL (_not_ a pointer to NULL).
Wrong. AP is not an array of pointers pointing to the arguments, but a pointer to the beginning of the arguments on the stack. va_arg is shifting this pointer further by the size of the object on the stack [(AP = (__gnuc_va_list) ((char *) (AP) + __va_rounded_size (TYPE))] each time an argument is read. So there is no pointer array, that could be terminated by a NULL-pointer. - Matthias Meixner -- Matthias Meixner meixner () rbg informatik tu-darmstadt de Technische Universität Darmstadt Rechnerbetriebsgruppe Telefon (+49) 6151 16 6670 Wilhelminenstraße 7, D-64283 Darmstadt, Germany Fax (+49) 6151 16 4701
Current thread:
- Re: Format String Attacks, (continued)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 15)
- Re: Format String Attacks Dan Harkless (Sep 17)
- Re: Format String Attacks Drazen Kacar (Sep 14)
- Re: Format String Attacks Dan Harkless (Sep 14)
- Re: Format String Attacks Serguei Patchkovskii (Sep 14)
- Re: Format String Attacks Nate Eldredge (Sep 21)
- Re: Format String Attacks Matthias Meixner (Sep 22)
- Re: Format String Attacks jsl2 (Sep 22)
- Re: Format String Attacks Ajax (Sep 25)