How To Recognize Improper String Length Checking Vulnerabilities
From Guidance Share
Jump to navigationJump to search
The following example would be exploitable if any of the commented incorrect malloc calls were used.
#include <stdio.h>
#include <strings.h>
#include <wchar.h>
int main() {
wchar_t wideString[] = L"The spazzy orange tiger jumped ” \
“over the tawny jaguar.";
wchar_t *newString;
printf("Strlen() output: %d\nWcslen() output: %d\n",
strlen(wideString), wcslen(wideString));
/* Very wrong for obvious reasons //
newString = (wchar_t *) malloc(strlen(wideString));
*/
/* Wrong because wide characters aren't 1 byte long! //
newString = (wchar_t *) malloc(wcslen(wideString));
*/
/* correct! */
newString = (wchar_t *) malloc(wcslen(wideString) *
sizeof(wchar_t));
/* ... */
}
The output from the printf() statement would be: Strlen() output: 0 Wcslen() output: 53
