[ale] C question

Jim Lynch ale_nospam at fayettedigital.com
Fri May 23 16:00:19 EDT 2014


For sure, Target needs to be at least 6 characters.  Also I'd use 
strncpy not an assign statement.  I didn't even see that the first 
time.  I zeroed in on the Command line.

Jim.
On 05/23/2014 10:40 AM, Derek Atkins wrote:
> DANGER WILL ROBINSON!
> Potential buffer overflows detected!
>
> More inline:
>
> Jim Lynch <ale_nospam at fayettedigital.com> writes:
>
>> Let me try that again.
>> On 05/23/2014 05:43 AM, Jim Lynch wrote:
>>> Untested, but should work.
>>> On 05/22/2014 10:56 PM, Robert L. Harris wrote:
>>>> #include <stdio.h>
>>>> #include <stdlib.h>
>>>> #include <sys/types.h>
>>>> #include <unistd.h>
>>>>
>>>>
>>>> int main(int argc, char **argv)
>>>> {
>>>>
>>>>    char Target[5] = argv[1];
> It's unclear that this will do that you want.  Moreover, if it *DOES* do
> an implicit memcpy then Target wont be NULL-terminated.  It also doesn't
> verify that it's a number.
>
>>>>    printf("%s\n", argv[1]);
>>>>    printf("%s\n", Target);
>>>>
>>>>    setuid( 662705787 );
>>>>    char Command[255]="/home/user/bin/Test.sh %s", Target;
>>> char cmd[255];
>> ^^^^^^^^^^^ forgot to dimension it.
>>> sprintf(cmd,"ssh user at serverB -C /home/user/bin/Test.sh %s", Target);
> Here you have a potential buffer overflow, especially since Target isn't
> necessarily null terminated above.  You should instead use snprintf() to
> make sure you don't overflow your command.
>
> However I think a better approach would be:
>
>    char Target[6];  // 5 chars for numbers, 1 for NULL
>    char* endnum = NULL;
>    unsigned long num;
>
>    num = strtoul(argv[1], &endnum, 10);
>    if ((endnum - argv[1]) != 5)
>       exit(-1);  // ERROR in Input
>
>    snprintf(cmd, sizeof(cmd), "ssh user at serverB -C \"/home/user/bin/Test.sh %u\"", num);   // Note:  I think we need the embedded quotes for ssh
>
>>> system(cmd);
> -derek
>



More information about the Ale mailing list