|
Bugtraq
mailing list archives
Re: Format String Attacks
From: Matthias Meixner <meixner () RBG INFORMATIK TU-DARMSTADT DE>
Date: Fri, 22 Sep 2000 08:54:53 +0200
Ajax wrote:
[...]
/* init AP to the next arg we pop from the stack */
#define va_start(AP, LASTARG) \
(AP = ((__gnuc_va_list) __builtin_next_arg (LASTARG)))
/* advance the AP pointer and return the next arg */
#define va_arg(AP, TYPE) \
(AP = (__gnuc_va_list) ((char *) (AP) + __va_rounded_size (TYPE)), \
*((TYPE *) (void *) ((char *) (AP) - __va_rounded_size (TYPE))))
Note how this works; AP is treated as, essentially, void *AP[], an array
of pointers to arbitrary types. This creates a natural terminating
condition, where the last element in the array is NULL (_not_ a pointer to
NULL).
Wrong. AP is not an array of pointers pointing to the arguments, but a pointer
to the beginning of the arguments on the stack. va_arg is shifting this
pointer further by the size of the object on the stack
[(AP = (__gnuc_va_list) ((char *) (AP) + __va_rounded_size (TYPE))]
each time an argument is read.
So there is no pointer array, that could be terminated by a NULL-pointer.
- Matthias Meixner
--
Matthias Meixner meixner () rbg informatik tu-darmstadt de
Technische Universität Darmstadt
Rechnerbetriebsgruppe Telefon (+49) 6151 16 6670
Wilhelminenstraße 7, D-64283 Darmstadt, Germany Fax (+49) 6151 16 4701
 By Date 
By Thread
Current thread:
- Re: Format String Attacks, (continued)
|
Intro
