Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 9 Feb 1997 15:09:25 -0500 (EST)
From:      Brian Tao <taob@risc.org>
To:        Richard Holland <rholland@freon.republic.k12.mo.us>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: buffer overruns
Message-ID:  <Pine.BSF.3.95.970209150710.18300A-100000@alpha.risc.org>
In-Reply-To: <Pine.LNX.3.91.970209124900.2336B-100000@freon.republic.k12.mo.us>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 9 Feb 1997, Richard Holland wrote:
>
> So the set locale bug is this only put differently.  It allocates X
> amount of bytes for the buffer, and people put to much junk into it,
> causing it to step into other memory addresses. 

    Essentially, yes.  Specifically, you can overrun the allocated
amount of memory so that it clobbers the return address from the
function (i.e., where the next piece of code is found once your
function returns) and points it to a new piece of code you just
inserted with the overflow data.

> If I am right here, How would you know just how far you have to go
> over and what the characters need to be once you get thus far?

    It is obviously best not to go over by even one byte.  :)
--
Brian Tao (BT300, taob@risc.org)
"Though this be madness, yet there is method in't"




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970209150710.18300A-100000>