|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Format String vulnerabilities]
From: Chris Eagle (cseagle
redshift.com)
Date: Sat May 29 2004 - 06:00:21 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gerardo Richarte wrote:
> > Surely however the format string *itself* isn't passed on the stack
> > but a pointer to the format string. therefore the %x modifer would
> > return a hex representation of the address pointing to the string, *not*
> > a hex representation of the string contents?
>
> Everything you said is correct, except for 2 things:
>
> . the fact that the format string itself is not in the
> stack. This is actually why there is a buf[1024] and a
> strncpy(buf,argv[1],sizeof(buf)): to copy the format string to the stack.
>
...
> the code is:
>
> > fmt1.c ----------------------------------------------------
> >
> > int main(int argc, char *argv[]) {
> > char buf[1024];
> >
> > strncpy(buf, argv[1], sizeof(buf));
> > printf(argv[1]);
> > printf("\n");
> > }
> > ------------------------------------------------------------
argv[1] is already on the stack, there is no need for the strncpy call to
copy the format string to the stack. In fact, in this case, the call places
a second copy of argv[1] on the stack.
Chris
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]