Vulnerability Development mailing list archives
memcpy with negative length and destination on heap - exploitable?
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Mon, 24 Dec 2001 12:59:30 +0300
Hello vuln-dev, Theoretically, are there are any situations, then it's possible to exploit this kind of bug: ... char src[FEW * KB_OF_DATA], * dst; int len; ... get_user_input(src, sizeof(src)); len = src[POSITION]; /* char is signed and can be negative! */ dst = malloc(256); memcpy(dst, src + POSITION + 1, len); ... len is too long then converted to size_t and memcpy will crash... Is it possible to avoid it if destination buffer is on heap? Program is available on all possible platforms :) -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)
Current thread:
- memcpy with negative length and destination on heap - exploitable? 3APA3A (Dec 24)
- Re: memcpy with negative length and destination on heap - exploitable? dullien (Dec 26)
- Re: memcpy with negative length and destination on heap - exploitable? Pavel Kankovsky (Dec 26)