sci.crypt archive
Re: Public disclosure of discovered vulnerabilities
Date: Sat Jun 11 2005 - 01:39:37 CEST
Terje Mathisen wrote:
> Andrew Swallow wrote:
>
>
>>Terje Mathisen wrote:
>>
>>
>>>Andrew Swallow wrote:
>>> BUFFER[POINTER_NEXT] = DATA;
>>> POINTER_NEXT = next;
>>>
>>> return 0;
>>>}
>>>
>>>Terje
>>>
>>>PS. There is still at least one possible hole in my implementation! :-)
>>>
>>
>>Such as not incrementing COUNT
>
>
> You're right, I did forget to include that line! :-(
>
> I was actually thinking about my intentional hole where you could write
> to index -1 of the array, i.e. overwriting whatever was in front of it!
> (Maybe the actual range limit of the array?)
>
>>Pointer overflow - well spotted I was still assuming accident
>>rather then malicious attack.
>
>
> Huh?
If the variables are initialised to zero during start up and the only
place the pointer can be incremented is this subroutine then pointer
overflow cannot happen. For the pointer to have an invalid value
something else must have corrupted it. The attacker may have a way of
changing a single variable, like the pointer, but need the buffer
overflow to load his program.
Andrew Swallow
Received on Thu Sep 29 21:43:00 2005