...
| Code Block | ||
|---|---|---|
| ||
# include "Base.h"
class Derived: public Base {
public:
Derived () {buf_[0] = 'a';}
void run () {buf_[0] = 'z';}
char buf_[1];
};
void runModule () {
Derived a, b;
Base *pa = &a, *pb = &b;
pb->run (); // Expect b.buf_[0] == 'z'
pa->run (); // Expect a.buf_[0] == 'z'
}
|
...
| Code Block | ||
|---|---|---|
| ||
# include "Base.h"
class Attacker: public Base {
public: void run () {
// vtable is overwritten
// do malicious things here
// ...
}
}
class Derived: public Base { // Class violating ODR
public:
void run () {
buf_[0] = 'z'; // Looks normal, but ...
Attacker x; // Instantiate to get a vtable to inject
*((unsigned *)(buf_ + 12)) = *((const unsigned *)(&x));
}
char buf_[16]; // Buffer used to overwrite vtable
};
Derived d; // Instantiate to get malicious Derived
|
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC31-C | 3 (high) | 1 (unlikely) | 1 (high) | P3 | L3 |
References
| Wiki Markup |
|---|
\[[ISO/IEC 14882-2003|AA. C++ References#ISO/IEC 14882-2003]\] Section 3.2, "One definition rule" |
| Wiki Markup |
|---|
\[[Quinlan 06|AA. C++ References#Quinlan 06]\] |