Re: Buffer Overflow - fvwrite.c and fread.c sources

To: Matthias Scheler <tron%zhadum.org.uk@localhost>
Subject: Re: Buffer Overflow - fvwrite.c and fread.c sources
From: nikunj badjatya <nikunjbadjatya%gmail.com@localhost>
Date: Wed, 22 Dec 2010 11:04:00 +0530

Hi,
@Matthias: Thanks for Replying. ! Pardon me for insufficient information in
the prev mail.!

1.
fread.c:
 79    (void)memcpy((void *)p, (void *)fp->_p, (size_t)r);

fvwrite.c:
inside __sfvwrite function.
166     COPY(w);   /* expansion at line 83, a memcpy call again. */

2.
I currently investigating on a "possibility" of buffer overflow at these
places. memcpy can write outside the bounds of allocated memory. !
* Which is why I need to examine from where fp->_p and fp->_r are getting
their values from.
* From where the memory allocation of _p, _r etc. taking place.
* The FILE structure is defined in file STDIO.H . It has all these members.

3.
What I mean with knowing the contents of file structure is,
If I write a sample code, which opens a sample text file ( FILE *fp ),
performs read/write operation, and finally prints various FILE structure
members. like fp->_p, _r etc. But when I compile the program it says fp has
no member named _p, _r . !

4.
I am using NetBSD 5.1.

I hope I have made it clear enough.

Thanks,
Nikunj

On Wed, Dec 22, 2010 at 6:20 AM, Matthias Scheler 
<tron%zhadum.org.uk@localhost>wrote:

> On Tue, Dec 21, 2010 at 03:38:31PM +0530, nikunj badjatya wrote:
> > I am just 3 months old to Linux and Cprogramming.
>
> This mailing list is about the NetBSD operating system, not about Linux.
>
> > Recently started investigating on Buffer overflow issues with fvwrite.c
> and
> > fread.c sources.
>
> Please explain why you think there is a buffer overflow issue.
> I've just reviewed the implemenetation of fread(3) in "fread.c" and
> it looks fine to me.
>
> > Present in lib/libc/stdio/* folder. Here's my investigation:-
> > {
> > There is a memcpy function.
> >
> > *1. at line 81 in fread.c -
> > (void)memcpy((void *)p, (void *)fp->_p, (size_t)r);
>
> Line 81 of "fread.c" looks like this:
>
>        /* fp->_r = 0 ... done in __srefill */
>
> > 2. and at line 168 in fvwrite.c. after expanding COPY macro*.
>
> What COPY macro? There is no COPY macro defined or used in "fread.c".
> Can you please explain which *NetBSD* sources you are looking at?
>
> > How do I know the contents of FILE structure.?
>
> It is private to the library and therefore off limits.
>
>        Kind regards
>
> --
> Matthias Scheler                                  http://zhadum.org.uk/

Follow-Ups:
- Re: Buffer Overflow - fvwrite.c and fread.c sources
  - From: Matthias Scheler

References:
- Buffer Overflow - fvwrite.c and fread.c sources
  - From: nikunj badjatya
- Re: Buffer Overflow - fvwrite.c and fread.c sources
  - From: Matthias Scheler

Prev by Date: Re: Buffer Overflow - fvwrite.c and fread.c sources
Next by Date: Re: Replacing Postfix
Previous by Thread: Re: Buffer Overflow - fvwrite.c and fread.c sources
Next by Thread: Re: Buffer Overflow - fvwrite.c and fread.c sources
Indexes:

Home | Main Index | Thread Index | Old Index