[ale] C question

Lightner, Jeff JLightner at dsservices.com
Fri May 23 11:11:59 EDT 2014


Doctor Smith would say:
Shut up you pusillanimous pile of post processing pipsqueak parts!




-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Derek Atkins
Sent: Friday, May 23, 2014 10:43 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] C question

DANGER WILL ROBINSON!
Potential buffer overflows detected!

More inline:

Jim Lynch <ale_nospam at fayettedigital.com> writes:

> Let me try that again.
> On 05/23/2014 05:43 AM, Jim Lynch wrote:
>> Untested, but should work.
>> On 05/22/2014 10:56 PM, Robert L. Harris wrote:
>>>
>>> #include <stdio.h>
>>> #include <stdlib.h>
>>> #include <sys/types.h>
>>> #include <unistd.h>
>>>
>>>
>>> int main(int argc, char **argv)
>>> {
>>>
>>>   char Target[5] = argv[1];

It's unclear that this will do that you want.  Moreover, if it *DOES* do an implicit memcpy then Target wont be NULL-terminated.  It also doesn't verify that it's a number.

>>>   printf("%s\n", argv[1]);
>>>   printf("%s\n", Target);
>>>
>>>   setuid( 662705787 );
>>>   char Command[255]="/home/user/bin/Test.sh %s", Target;
>> char cmd[255];
>
> ^^^^^^^^^^^ forgot to dimension it.
>> sprintf(cmd,"ssh user at serverB -C /home/user/bin/Test.sh %s", Target);

Here you have a potential buffer overflow, especially since Target isn't necessarily null terminated above.  You should instead use snprintf() to make sure you don't overflow your command.

However I think a better approach would be:

  char Target[6];  // 5 chars for numbers, 1 for NULL
  char* endnum = NULL;
  unsigned long num;

  num = strtoul(argv[1], &endnum, 10);
  if ((endnum - argv[1]) != 5)
     exit(-1);  // ERROR in Input

  snprintf(cmd, sizeof(cmd), "ssh user at serverB -C \"/home/user/bin/Test.sh %u\"", num);   // Note:  I think we need the embedded quotes for ssh

>> system(cmd);

-derek

--
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer
__________________________________________________________
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.





More information about the Ale mailing list