Page History

...

Wiki Markup

The following example is based on a flaw discovered in the OpenBsd operating system \[[ref]\]. An integer, {{offsetskip_member}}, is added as an offset to a pointer of type {{struct big}} and the sum is then used as a destination address in a call to {{memset()}}. However, when {{offsetskip_member}} is added to the {{struct big}} pointer, it is automatically scaled by the size of {{struct big}}, which is 32 bytes (assuming 4 byte integers, 8 byte long long integers, and no structure padding). This results in the call to {{memset()}} writing to unintended memory.

Code Block

bgColor	#FFCCCC

struct big {
    unsigned long long member_1; /* typically 8 bytes */
    unsigned long long member_2; /* typically 8 bytes */
    unsigned long long member_3; /* typically 8 bytes */
    int member_4; /* typically 4 bytes */
    int member_5; /* typically 4 bytes */
};
/* ... */
size_t offsetskip_member = sizeof(unsigned long long);
struct big *s = malloc(sizeof(struct big));
if (!s) {
   /* Handle malloc() error */
}

memset(s + offsetskip_member, 0, sizeof (struct big) - offsetskip_member);
/* ... */
free(s);

Risk Assessment

...

Space shortcuts

Page tree

Versions Compared

Old Version 39

New Version 40

Key

Risk Assessment