How To Identify Improper String Length Checking Vulnerabilities

From Guidance Share
Revision as of 21:03, 1 December 2007 by JD (talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to navigationJump to search

The following example would be exploitable if any of the commented incorrect malloc calls were used. 

#include <stdio.h>
#include <strings.h>
#include <wchar.h>
int main() { 
wchar_t wideString[] = L"The spazzy orange tiger jumped ” \ 
“over the tawny jaguar."; 
wchar_t *newString; 
printf("Strlen() output: %d\nWcslen() output: %d\n", 
strlen(wideString), wcslen(wideString)); 
/* Very wrong for obvious reasons // 
newString = (wchar_t *) malloc(strlen(wideString)); 
*/ 
/* Wrong because wide characters aren't 1 byte long! // 
newString = (wchar_t *) malloc(wcslen(wideString)); 
*/ 
/* correct! */ 
newString = (wchar_t *) malloc(wcslen(wideString) * 
sizeof(wchar_t)); 
/* ... */
}

The output from the printf() statement would be: Strlen() output: 0 Wcslen() output: 53