Home page logo

bugtraq logo Bugtraq mailing list archives

Re: TOG and xterm problem
From: Valdis.Kletnieks () VT EDU (Valdis.Kletnieks () VT EDU)
Date: Mon, 4 May 1998 10:31:04 -0400

Content-Type: text/plain; charset=us-ascii

On Mon, 04 May 1998 11:06:05 +0200, you said:
* HandleKeymapChange():

    (void) sprintf( mapName, "%sKeymap", params[0] );
    (void) strcpy( mapClass, mapName );

(actually, the second command is mostly harmless because the size of
mapName and mapClass is the same)

Actually, not necessarily.  It's "mostly harmless" if in addition to the
sizes being the same, you can "prove" in the program-correctness sense
that the source will be null-terminated at the appropriate place.

Think.  if they just overflowed mapName via sprintf, then they can ALSO
overflow mapClass.  And it's quite possible that mapClass is the array
that you need to overflow to create the exploit (mapName possibly being
at an inconvenient location in memory...)

This of course as just a "general guideline" - an actual examination of
the source is required.  I'm just pointing out that "they're the same size"
is not always enough....
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Content-Type: application/pgp-signature

Version: 2.6.2



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]