Do you C the vulnerabilities?
We were asked to find the vulnerabilities in 3 snippets of C code.
From the first: since the length variable is a short, it can have a sign. The function does not account for what happens when it is fed a negative number, only one that is larger than the max.
From the second: sizeof(userstring) returns the size of the variable, 1024, not the length of it’s string contents plus the terminating NULL character. Also taking the sizeof() a pointer will not return the size of the variable it is pointing to, but rather the size of the address stored in the pointer, which is usually significantly smaller than the actual data type.
From the third: the program saves a value of type size_t to a unsigned short int. Now, a size_t has a maximum value equal to or greater than the size of the biggest object the host system can handle. A short is only two bytes and an int is four bytes. A 32 bit system can handle object up to the max size of an unsigned int, 4 bytes worth, and a 64 bit can handle even bigger objects. This is greater than a short with only two bits. As such, if the sizeof() the userstring is greater than the max value of a short but less than the value of an unsigned int, it will overflow the short and could possibly produce a value that would been seen to fit in the buffer. However, this would lead to the function operating outside of its defined spaces, and writing outside of the buffer’s allocated space.