Hi all,
I have a piece of code I'm supposed to identify a security issue with
I narrowed it down to the if statement condition. strlen does not take the NULL character into account, and hence, the if condition would fail if the length of the input string is exactly 128 (excluding NULL). This would lead to an off-by-one or single-byte buffer overflow.Code:int copy(char *in) { char d[128]; if (strlen(in) > sizeof(d)) return -1; strcpy(d, in); return 0; }
According to http://www.vuxml.org/freebsd/8dd9722...c2514716c.html, this
Where can I find out more about this, i.e. how does overflowing a single byte lead to arbitrary code execution?can be exploited to overwrite one byte on the stack with a zero by sending an IPP request containing specially crafted "textWithLanguage" or "nameWithLanguage" tags.
Successful exploitation allows execution of arbitrary code.