Single Byte Buffer Overflow
Hi all,
I have a piece of code I'm supposed to identify a security issue with
Code:
int copy(char *in)
{
char d[128];
if (strlen(in) > sizeof(d))
return -1;
strcpy(d, in);
return 0;
}
I narrowed it down to the if statement condition. strlen does not take the NULL character into account, and hence, the if condition would fail if the length of the input string is exactly 128 (excluding NULL). This would lead to an off-by-one or single-byte buffer overflow.
According to http://www.vuxml.org/freebsd/8dd9722...c2514716c.html, this
Quote:
can be exploited to overwrite one byte on the stack with a zero by sending an IPP request containing specially crafted "textWithLanguage" or "nameWithLanguage" tags.
Successful exploitation allows execution of arbitrary code.
Where can I find out more about this, i.e. how does overflowing a single byte lead to arbitrary code execution?