[ale] C question
Derek Atkins
warlord at MIT.EDU
Fri May 23 10:40:49 EDT 2014
DANGER WILL ROBINSON!
Potential buffer overflows detected!
More inline:
Jim Lynch <ale_nospam at fayettedigital.com> writes:
> Let me try that again.
> On 05/23/2014 05:43 AM, Jim Lynch wrote:
>> Untested, but should work.
>> On 05/22/2014 10:56 PM, Robert L. Harris wrote:
>>>
>>> #include <stdio.h>
>>> #include <stdlib.h>
>>> #include <sys/types.h>
>>> #include <unistd.h>
>>>
>>>
>>> int main(int argc, char **argv)
>>> {
>>>
>>> char Target[5] = argv[1];
It's unclear that this will do that you want. Moreover, if it *DOES* do
an implicit memcpy then Target wont be NULL-terminated. It also doesn't
verify that it's a number.
>>> printf("%s\n", argv[1]);
>>> printf("%s\n", Target);
>>>
>>> setuid( 662705787 );
>>> char Command[255]="/home/user/bin/Test.sh %s", Target;
>> char cmd[255];
>
> ^^^^^^^^^^^ forgot to dimension it.
>> sprintf(cmd,"ssh user at serverB -C /home/user/bin/Test.sh %s", Target);
Here you have a potential buffer overflow, especially since Target isn't
necessarily null terminated above. You should instead use snprintf() to
make sure you don't overflow your command.
However I think a better approach would be:
char Target[6]; // 5 chars for numbers, 1 for NULL
char* endnum = NULL;
unsigned long num;
num = strtoul(argv[1], &endnum, 10);
if ((endnum - argv[1]) != 5)
exit(-1); // ERROR in Input
snprintf(cmd, sizeof(cmd), "ssh user at serverB -C \"/home/user/bin/Test.sh %u\"", num); // Note: I think we need the embedded quotes for ssh
>> system(cmd);
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the Ale
mailing list