Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Format String Attacks
From: Matthias Meixner <meixner () RBG INFORMATIK TU-DARMSTADT DE>
Date: Fri, 22 Sep 2000 08:54:53 +0200

Ajax wrote:


/* init AP to the next arg we pop from the stack */
#define va_start(AP, LASTARG)                                           \
 (AP = ((__gnuc_va_list) __builtin_next_arg (LASTARG)))

/* advance the AP pointer and return the next arg */
#define va_arg(AP, TYPE)                                                \
 (AP = (__gnuc_va_list) ((char *) (AP) + __va_rounded_size (TYPE)),     \
  *((TYPE *) (void *) ((char *) (AP) - __va_rounded_size (TYPE))))

Note how this works; AP is treated as, essentially, void *AP[], an array
of pointers to arbitrary types.  This creates a natural terminating
condition, where the last element in the array is NULL (_not_ a pointer to

Wrong. AP is not an array of pointers pointing to the arguments, but a pointer
to the beginning of the arguments on the stack. va_arg is shifting this
pointer further by the size of the object on the stack
   [(AP = (__gnuc_va_list) ((char *) (AP) + __va_rounded_size (TYPE))]
each time an argument is read.

So there is no pointer array, that could be terminated by a NULL-pointer.

- Matthias Meixner

Matthias Meixner                   meixner () rbg informatik tu-darmstadt de
Technische Universit├Ąt Darmstadt
Rechnerbetriebsgruppe                          Telefon (+49) 6151 16 6670
Wilhelminenstra├če 7, D-64283 Darmstadt, Germany    Fax (+49) 6151 16 4701

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]