Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 25

...

Code Block
bgColor#FFCCCC
langc
int (*log_fn)(const char *, ...) = printf;
/* ... */
log_fn("foo");

If a vulnerability exists in this program that allows an attacker to overwrite the log_fn function pointer, such as a buffer overflow or arbitrary memory write, the attacker may be able to overwrite the value of printf with the location of an arbitrary function.

...

Code Block
bgColor#ccccff
langc
#include <Windows.h>
 
void *log_fn = EncodePointer(printf);
/* ... */
int (*fn)(const char *, ...) = (int (*)(const char *, ...))DecodePointer(log_fn);

fn("foo");

Note that DecodePointer() does not return success or failure.  If an attacker has overwritten the pointer contained in log_fn, the pointer returned will be invalid and cause your application to crash.  However, this is preferable to giving an attacker the ability to execute arbitrary code. 

...

Bibliography

[AA. Bibliography#MSDNMSDN]EncodePointer()
DecodePointer()

Microsoft Corporation 2012

Microsoft Security Development Lifecycle (SDL) – version 5.2Phase 3: Implementation

 

...

Image Modified