[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

buffer overflow in strfmon test harness

From: wagle
Subject: buffer overflow in strfmon test harness
Date: Fri, 24 May 2002 15:25:09 -0700 (PDT)

Hi --

The test harness for strfmon in redhat 7.3's version of glibc resides in


It defines a buffer of 32 chars.  But the test data in


contains a buffer size (nbt) of "33" in 11 of of the 45 test cases.

This results in the byte located immediately after the buffer being
zeroed, probably by the code:

      /* We clear the last available byte so we can find out whether
         the numeric representation is too long.  */
      s[maxsize - 1] = '\0';

The test harness 1probably needs to check for buffer overflows
specified by the user (ie, die noisely if "nbt > MONSIZE") or flaws in
the implementation (ie, writing beyond the user specified end of

I will solve it for myself in the short term by making the buffer
larger, but I don't believe that is the correct solution.

Have fun!

-- Perry Wagle

PS.  I detected it with the newest version of stackguard, beginning
its torture test ("build world").  This was the first buffer overflow
"in the wild" that it detected.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]