[3936] in bugtraq
Re: Smashing the stack
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Tue Jan 21 14:50:41 1997
Date: Tue, 21 Jan 1997 10:50:59 -0500
Reply-To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
X-To: Zygo Blaxell <zblaxell@tenchi.myrus.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: zblaxell's message of Mon, 20 Jan 1997 22:05:34 -0500.
<5c1bpu$9f8@tenchi.myrus.com>
> Some architectures grow the stack "upwards" in memory instead of
> "downwards"; this means that buffer overrun doesn't overwrite existing
> stack frames at all.
This doesn't follow at all. The buffer which is overrun could have
been allocated within a separate frame from the frame which actually
"commits" the overrun.
e.g.,
foo()
{
char buf[10];
gets(buf);
}
The actual overrun occurs in gets(), which writes to memory which is
"below" the stack location of gets's frame, so (in the case of a
hypothetical machine with an upward-growing stack) the flow of control
is derailed on return from gets(), not return from foo()...
- Bill
