Page History

In this non-compliant code example, integer values returned by {{parseint(getdata())}} are stored into an array of {{INTBUFSIZE}} elements of type {{int}} called {{buf}} \[[Dowd 06|AA. C References#Dowd 06]\].  If data is available for insertion into {{buf}} (which is indicated by {{havedata()}}) and {{buf_ptr}} has not been incremented past {{buf + sizeof(buf)}}, an integer value is stored at the address referenced by {{buf_ptr}}. However, the {{sizeof}} operator returns the total number of bytes in {{buf}}, which is typically a multiple of the number of elements in {{buf}}. This value is scaled to the size of an integer and added to {{buf}}. As a result, the check to make sure integers are not written past the end of {{buf}} is incorrect and a buffer overflow is possible.

\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 6, "C Language Issues" (Vulnerabilities)
\[[Murenin  07|AA. C References#Murenin 07]\]