Page History

In this non-compliant code example derived from \[[Dowd|AA. C References#Dowd 06]\], integer values returned by {{parseint(getdata())}} are stored into an array of {{INTBUFSIZE}} elements of type {{int}} called {{buf}} \[[Dowd|AA. C References#Dowd 06]\].  If data is available for insertion into {{buf}} (which is indicated by {{havedata()}}) and {{buf_ptr}} has not been incremented past {{buf + sizeof(buf)}}, an integer value is stored at the address referenced by {{buf_ptr}}. However, the {{sizeof}} operator returns the total number of bytes in {{buf}} which is typically a multiple of the number of elements in {{buf}}. This value is scaled to the size of an integer and added to {{buf}}. As a result, the check to make sure integers are not written past the end of {{buf}} is incorrect and a buffer overflow is possible.

\[[Dowd|AA. C References#Dowd 06]\] Chapter 6, "C Language Issues" (Vulnerabilities)
\[[cnst: 10-year-old pointer-arithmetic bug in make(1) is now gone, thanks to malloc.conf and some debugging|http://cnst.livejournal.com/24040.htmlMurenin  07|AA. C References#Murenin 07]\]