How To Identify Miscalculated Null Termination Vulnerabilities

From Guidance Share
Jump to navigationJump to search

While the following example is not exploitable, it provides a good example of how nulls can be omitted or misplaced, even when functions, such as strncpy, are used that include limits to the length of a string copy: 

#include <stdio.h>
#include <string.h>
int main() { 
char longString[] = "Cellular bananular phone"; 
char shortString[16]; 
strncpy(shortString, longString, 16); 
printf("The last character in shortString is: %c %1$x\n", 
shortString[15]); 
return (0);
}

The above code gives the following output: The last character in shortString is: l 6c So, the shortString array does not end in a NULL character, even though the length limited string function strncpy() was used.

Retrieved from "http://guidanceshare.com/index.php?title=How_To_Identify_Miscalculated_Null_Termination_Vulnerabilities&oldid=4683"