Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m trying to figure out if this could somehow be overflowed:
void print_address(char *p)
{
arp_ hw;
int i;
hw.length = (size) *(p + _OFFSET1); //189 + 4 = 193
memcpy(hw.addr, packet + _OFFSET2, hw.length);
return;
}
where packet is an input read from a .txt file?
hwaddr.lenis an unsigned char which has range 0 to 255. So an attacker could send you a packet which declares length 255. Sincehwaddr.addris declared as a 128-byte buffer, the attacker can then deliver a payload of 127 bytes. Is that enough?The usual x86 calling convention is to push the return address, push arguments, and then jump, at which point the callee will allocate each variable in the order declared. So, counting from the start of
hwaddr,hwaddr.lenwill be 128 bytes above the stack pointer,packetwill be 129 bytes above, and the return address will be129 + sizeof(char *), which is at most 137 bytes even on a 64-bit system. So, yes, the attacker can overwrite your return address and deliver 118 bytes of shell code in addition.Edit I just figured out the OP’s confusion. When you encode the length as an
unsigned char, this does not mean you use ASCII to represent the length. That is, you do not read this byte, callatoi()on it, and get a single-digit number ranging from 0 to 9. You just use the eight bits like a really narrowinttype, where each bit represents a binary digit.