...
| Code Block |
|---|
|
#include <signal.h>
char *foo;
void int_handler() {
free(foo);
_Exit(0);
}
int main(void) {
foo = malloc(15);
signal(SIGINT, int_handler);
strcpy(foo, "Hello World.");
puts(foo);
free(foo);
return 0;
}
|
Compliant Solution
Signal handlers should be as minimal as possible, only unconditionally setting a flag where appropriate, and returning. You may also call the _exitExit function to immediately terminate program execution.
| Code Block |
|---|
|
#include <signal.h>
char *foo;
void int_handler() {
_Exit(0);
}
int main(void) {
foo = malloc(15);
signal(SIGINT, int_handler);
strcpy(foo, "Hello World.");
puts(foo);
free(foo);
return 0;
}
|
Risk Assessment
| Wiki Markup |
|---|
Depending on the code, this could lead to any number of attacks, many of which could give root access. For an overview of some software vulnerabilities, see Zalewski's paper on understanding, exploiting and preventing signal-handling related vulnerabilities \[[Zalewski 01|AA. C References#Zalewski 01]\]. [VU #834865|http://www.kb.cert.org/vuls/id/834865] describes a vulnerability resulting from a violation of this rule. |
...
