On Mon, Dec 15, 2003 at 05:48:21PM -0500, Dave G. wrote: > The overflow occurs in main() and there is an unavoidable exit() at > the end of the function. So while you can overwrite the return stack > frame, the process will never use your new value. Are you sure about this? exit(3) will perform cleanup functionality with at least stdio streams before calling exit(2). If FILE * are located in the same autovariable space as the overflowed buffer, there exists the possibility those stream pointers have been smashed; if those stream pointers have been smashed, I would NOT be confident in claiming this buffer overflow poses no problem. Remember that the latest OpenSSH vulnerabilities relied on the cleanup behaviour embedded throughout the code. (A call to a fatal-death function wasn't as fatal as the name would indicate. Oops.) -- A: No. Q: Should I include quotations after my reply?
Attachment:
pgp00447.pgp
Description: PGP signature
