How To Recognize Improper String Length Checking Vulnerabilities

From Guidance Share
Jump to navigationJump to search

The following example would be exploitable if any of the commented incorrect malloc calls were used.

#include <stdio.h>
#include <strings.h>
#include <wchar.h>
int main() { 
wchar_t wideString[] = L"The spazzy orange tiger jumped ” \ 
“over the tawny jaguar."; 
wchar_t *newString; 
printf("Strlen() output: %d\nWcslen() output: %d\n", 
strlen(wideString), wcslen(wideString)); 
/* Very wrong for obvious reasons // 
newString = (wchar_t *) malloc(strlen(wideString)); 
*/ 
/* Wrong because wide characters aren't 1 byte long! // 
newString = (wchar_t *) malloc(wcslen(wideString)); 
*/ 
/* correct! */ 
newString = (wchar_t *) malloc(wcslen(wideString) * 
sizeof(wchar_t)); 
/* ... */
}

The output from the printf() statement would be: Strlen() output: 0 Wcslen() output: 53