[ale] C question
Jim Lynch
ale_nospam at fayettedigital.com
Fri May 23 16:00:19 EDT 2014
For sure, Target needs to be at least 6 characters. Also I'd use
strncpy not an assign statement. I didn't even see that the first
time. I zeroed in on the Command line.
Jim.
On 05/23/2014 10:40 AM, Derek Atkins wrote:
> DANGER WILL ROBINSON!
> Potential buffer overflows detected!
>
> More inline:
>
> Jim Lynch <ale_nospam at fayettedigital.com> writes:
>
>> Let me try that again.
>> On 05/23/2014 05:43 AM, Jim Lynch wrote:
>>> Untested, but should work.
>>> On 05/22/2014 10:56 PM, Robert L. Harris wrote:
>>>> #include <stdio.h>
>>>> #include <stdlib.h>
>>>> #include <sys/types.h>
>>>> #include <unistd.h>
>>>>
>>>>
>>>> int main(int argc, char **argv)
>>>> {
>>>>
>>>> char Target[5] = argv[1];
> It's unclear that this will do that you want. Moreover, if it *DOES* do
> an implicit memcpy then Target wont be NULL-terminated. It also doesn't
> verify that it's a number.
>
>>>> printf("%s\n", argv[1]);
>>>> printf("%s\n", Target);
>>>>
>>>> setuid( 662705787 );
>>>> char Command[255]="/home/user/bin/Test.sh %s", Target;
>>> char cmd[255];
>> ^^^^^^^^^^^ forgot to dimension it.
>>> sprintf(cmd,"ssh user at serverB -C /home/user/bin/Test.sh %s", Target);
> Here you have a potential buffer overflow, especially since Target isn't
> necessarily null terminated above. You should instead use snprintf() to
> make sure you don't overflow your command.
>
> However I think a better approach would be:
>
> char Target[6]; // 5 chars for numbers, 1 for NULL
> char* endnum = NULL;
> unsigned long num;
>
> num = strtoul(argv[1], &endnum, 10);
> if ((endnum - argv[1]) != 5)
> exit(-1); // ERROR in Input
>
> snprintf(cmd, sizeof(cmd), "ssh user at serverB -C \"/home/user/bin/Test.sh %u\"", num); // Note: I think we need the embedded quotes for ssh
>
>>> system(cmd);
> -derek
>
More information about the Ale
mailing list