Vulnerability Development mailing list archives

memcpy with negative length and destination on heap - exploitable?

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Mon, 24 Dec 2001 12:59:30 +0300

Hello vuln-dev,

  Theoretically,  are  there  are  any situations, then it's possible to
  exploit this kind of bug:

   ...
   char src[FEW * KB_OF_DATA], * dst;
   int len;
   ...

   get_user_input(src, sizeof(src));
   len = src[POSITION]; /* char is signed and can be negative! */
   dst = malloc(256);
   memcpy(dst, src + POSITION + 1, len);

   ...

   len  is too long then converted to size_t and memcpy will crash... Is
   it  possible to avoid it if destination buffer is on heap? Program is
   available on all possible platforms :)



-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Current thread:

memcpy with negative length and destination on heap - exploitable? 3APA3A (Dec 24)
- Re: memcpy with negative length and destination on heap - exploitable? dullien (Dec 26)
  - Re[2]: memcpy with negative length and destination on heap - exploitable? 3APA3A (Dec 26)
- Re: memcpy with negative length and destination on heap - exploitable? Pavel Kankovsky (Dec 26)