What are the vulnerabilities associated with this code?

**ledow** · 05-31-2012

scooter: You seem inherently confused and unhelpful to everyone. Are you ASKING us or TELLING us? Are there more constraints than your initial question stated, or are you just artificially limiting the query to things you can understand?

Your initial post says "What are the vulnerabilities associated with this code?". There are several described in the posts above.
You said "I'm stuck with what kind of attack could occur to the code posted below". That has been answered too.

Valid answers to that don't really need much to work out how they operate and also how to stop them. And I can "crash" that code and trash unknown memory by at least three ways within two seconds of looking at it, for instance:

grab_request(NULL, 0);
grab_request(fake_pointer_to_junk_that_is_near_som ething_important, -2000);
grab_request(buffer_with_20_elements, 20);

What precisely do you need from here?

**scooter** · 05-31-2012

???

How do we counteract this.....simply buf[i-1]????

**scooter** · 05-31-2012

I'm glad you think I'm inherently confused.....nice one.
Did you get my previous post.....before yours...i.e. #15.
So it can be a buffer overflow...the attack is only meant to be one only....i'm obviously not as advanced for the other attacks.
I presume the grab_request(buffer_with_20_elements, 20); will create a buffer overflow.

I think that was all that was required, whether it is a buffer or integer overflow. I originally got confused, when I was directed questions to determine whether an integer overflow would be possible i.e. hinting that it obviously is not...but i didnt take it that way. Which leaves the door for the buffer overflow, which is what i tried to explain in comment #15.

So what I need to know is am I right in comment #15...?

If so do i counteract this with just subtracting one or are there other safer functions or so.....?

It is ok, the entire thread can be deleted......LEDOW if you knew I was confused: just be helpful....don't get slightly nasty.
We all have to start C from somewhere.

**anduril462** · 05-31-2012

Originally Posted by scooter

So if buf_length were to be less than zero i.e. -1 then the i from the for loop would continue until it reaches the largest negative number which is one more than MAX_INT.
Only then would the loop stop......and hence it would be an underflow/overflow of incorrect data.

No. If you followed every little step in the table, you would see that i is initialized to zero before the start of the for loop, then it is compared to buf_len. Only if it is less than buf_len would the loop happen. Is 0 less than a negative number? No. Therefore, you skip the whole loop and set buf[0] to '\0'.

If buf_length would be 0 then i would not loop.....correct? because null cant be less than null? i.e. false statement.

The first half is correct. But the second half is worded wrong. Just say "0 is not less than 0". Don't use null in place of numeric zero, it can be confusing. Null, in C, refers to an "invalid pointer". It's a special value that you can assign to any pointer, so you can tell if it's not pointing anywhere. In source code, null is always equivalent to 0. When compiled however, the actual value of null used by the computer can vary. On many systems, that special value is 0, but on some systems, it isn't.

If buf_length were to be MAX_INT....then i would be one less than that correct...?

Well, at some point during the function, that would be true, but that is not the final value of i. Think about it. Your for loop keeps going until i < buf_len is FALSE. That means if buf_len is MAX_INT, and i is MAX_INT-1, then the loop condition is true, you go back to the top of the loop, increment and compare.

What could be used to make a remedy...? Safeint class?

This is irrelevant since there is no integer overflow. But for the sake of discussion, no, a "safeint" class is not the answer. The remedy is to write code that doesn't allow an overflow by making sure your function, and in particular the loop in the function, just wont allow it to happen. Make sure the loop can only run if buf_len is positive, and make sure it doesn't increment i beyond buf_len. Note, that doesn't mean you need any extra if statements, just that you have the right parts (initialization, loop condition and increment statement) in your for loop.

How do we counteract this.....simply buf[i-1]????

If so do i counteract this with just subtracting one or are there other safer functions or so.....?

Don't just guess, think about this. Yes, it might prevent you from overflowing on one end, but what happens when i is 0?

A better solution: You know you need to put a '\0' in the last spot in the array. So how do you make sure that you have that spot available? Stop your loop one spot before then end.

thankyou for helping me with this overflow/underflow.....i appreciate it

You're welcome.

**scooter** · 05-31-2012

I dont mean to sound like a broke record, but am I right with comment #15? It is a normal buffer overflow?
I mean im not right...im just reiterating what everyone else apparently.

Do you understand what I mean...when I got confused with the whole '\0'?

**scooter** · 05-31-2012

does the solution include a strncat or strncpy....?
OR would simply make sure that i never gets increased....

Thread: What are the vulnerabilities associated with this code?

Thread Tools

Search Thread

Display

Similar Threads

Find vulnerabilities in this C code?

system() function security vulnerabilities?

Having trouble translating psudeo-code to real-code.

Texts on Format String Vulnerabilities?