Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 Jul 2008 23:08:37 GMT
From:      Dmitry Andrianov <666.root@gmail.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/125455: memcpy() integer buffer overflow
Message-ID:  <200807092308.m69N8bDF054230@www.freebsd.org>
Resent-Message-ID: <200807092310.m69NA14Q084386@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         125455
>Category:       misc
>Synopsis:       memcpy() integer buffer overflow
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 09 23:10:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Dmitry Andrianov
>Release:        7.0-RELEASE
>Organization:
79.120.123.5
>Environment:
FreeBSD zingel.dubki.ru 7.0-RELEASE-p2 FreeBSD 7.0-RELEASE-p2 #3: Tue Jul  8 17:48:53 EEST 2008     beastie@zingel.dubki.ru:/usr/obj/usr/src/sys/BEASTIE  i386
>Description:
Hello.

I found out an error, at the use of the following code:


------
#define BUF_SIZE 1024

  int main (int argc, char* argv[])

   {

   int ouch;
   char buf[BUF_SIZE];
   ouch = atoi(argv[1]);

       if (ouch < BUF_SIZE ) {

         memcpy (buf, argv[2], ouch);

         }

         else
         printf("wow data!!!\n");

          }

----

error:

Segmentation fault: 11

gdb:

# gdb -c memcpy.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Core was generated by `calloc'.
Program terminated with signal 11, Segmentation fault.
#0  0x28137b87 in ?? ()
(gdb) i r
eax            0x281627a0       672540576
ecx            0xbfbfeca0       -1077941088
edx            0xbfbfeca0       -1077941088
ebx            0x281637f8       672544760
esp            0xbfbfe810       0xbfbfe810
ebp            0xbfbfe838       0xbfbfe838
esi            0x0      0
edi            0x100    256
eip            0x28137b87       0x28137b87
eflags         0x10282  66178
cs             0x33     51
ss             0x3b     59
ds             0x3b     59
es             0x3b     59
fs             0x3b     59
gs             0x3b     59
(gdb)




Check, please.

Thank You.


>How-To-Repeat:
# gcc -o memcpy memcpy.c
memcpy.c: In function 'main':
memcpy.c:15: warning: incompatible implicit declaration of built-in function 'memcpy'
memcpy.c:20: warning: incompatible implicit declaration of built-in function 'printf'
#./memcpy
Segmentation fault: 11
#./memcpy 1024
wow data!!!


>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807092308.m69N8bDF054230>