...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdlib.h> #include <string.h> enum {SIG_DESC_SIZE = 32}; typedef struct { char sig_desc[32SIG_DESC_SIZE]; } signal_info; void func(size_t num_of_records, size_t temp_num, const char *tmp2) { signal_info *start = (signal_info *)calloc(num_of_records, sizeof(signal_info)); signal_info *point = start + temp_num - 1; if (tmp2 == NULL) { /* Handle error */ } memcpy(point->sig_desc, tmp2, strlen(tmp2))SIG_DESC_SIZE); point->sig_desc[ SIG_DESC_SIZE - 1] = '\0'; /* ... */ } |
When calloc() fails, it returns a null pointer that is assigned to start. If start is null, an attacker can provide a value for temp_num that, when scaled by the the sizeof(signal_info), references a writable address to which control is eventually transferred. The contents of the string referenced by tmp2 can then be used to overwrite the address, resulting in an arbitrary code execution vulnerability.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdlib.h> #include <string.h> enum {SIG_DESC_SIZE = 32}; typedef struct { char sig_desc[32SIG_DESC_SIZE]; } signal_info; void func(size_t num_of_records, size_t temp_num, const char *tmp2) { signal_info *point; signal_info *start = (signal_info *)calloc(num_of_records, sizeof(signal_info)); if (start == NULL) { /* Handle allocation error */ } else if (tmp2 == NULL) { /* Handle error */ } point = start + temp_num - 1; memcpy(point->sig_desc, tmp2, strlen(tmp2))SIG_DESC_SIZE); point->sig_desc[ SIG_DESC_SIZE - 1] = '\0'; /* ... */ } |
Noncompliant Code Example (realloc())
...