On Mon, Jan 29, 2001 at 02:18:58AM +0100, antirez wrote:
The bug seems not exploitable because the stack layout in this
function prevents the return address corruption.
If you change the order of the declaration of "buf" and "id" you will
get a standard exploitable stack overflow.
Why is the buffer overflow in this case not exploitable? Because the
buffer isn't on the stack or something? I guess I would have to
understand something about the code for sscanf()? I'm not trying to be
confrontational here, I'm just a stupid programmer who doesn't totally
understand the concept of programming for security. If there are any
sites you can point me to that could shed some light on this subject, it
would be appreciated if you could send those.. :)
It seems also that there are a very high number of insecure functions
call in fetchmail, not exploitable since the coder joked
with the size of the buffers and so on to prevent problems: warning,
with this approach some day you will get a security problem.
How does messing with the size of the buffers prevent problems? I
understand you're saying this is bad programming practice, but why?
I'm asking because I'm working on some Web/Internet stuff and I need to
understand these issues. Any help (Web sites, books, etc.) would be
appreciated. Thanks.
--
Rob A. Shinn, surak(_at_)tuxedo(_dot_)dnsalias(_dot_)org
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT/B/MU d+ s:+>: a- C++++$ ULHS++++$ P+>+++$ L+++ E++ W+++>$ N+ !o K?
w-- !O !M V-- PS+ PE++ Y+ PGP t+++ 5-- X++ R tv- b+++ DI+++ D++ G e+>++++
h* r-- y-->++**
------END GEEK CODE BLOCK------