[16873] in bugtraq
Re: Format String Attacks
daemon@ATHENA.MIT.EDU (Matthias Meixner)
Fri Sep 22 11:17:45 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <39CB023D.EBC34A24@rbg.informatik.tu-darmstadt.de>
Date: Fri, 22 Sep 2000 08:54:53 +0200
Reply-To: meixner@RBG.INFORMATIK.TU-DARMSTADT.DE
From: Matthias Meixner <meixner@RBG.INFORMATIK.TU-DARMSTADT.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Ajax wrote:
>
[...]
>
> /* init AP to the next arg we pop from the stack */
> #define va_start(AP, LASTARG) \
> (AP = ((__gnuc_va_list) __builtin_next_arg (LASTARG)))
>
> /* advance the AP pointer and return the next arg */
> #define va_arg(AP, TYPE) \
> (AP = (__gnuc_va_list) ((char *) (AP) + __va_rounded_size (TYPE)), \
> *((TYPE *) (void *) ((char *) (AP) - __va_rounded_size (TYPE))))
>
> Note how this works; AP is treated as, essentially, void *AP[], an array
> of pointers to arbitrary types. This creates a natural terminating
> condition, where the last element in the array is NULL (_not_ a pointer to
> NULL).
Wrong. AP is not an array of pointers pointing to the arguments, but a pointer
to the beginning of the arguments on the stack. va_arg is shifting this
pointer further by the size of the object on the stack
[(AP = (__gnuc_va_list) ((char *) (AP) + __va_rounded_size (TYPE))]
each time an argument is read.
So there is no pointer array, that could be terminated by a NULL-pointer.
- Matthias Meixner
--
Matthias Meixner meixner@rbg.informatik.tu-darmstadt.de
Technische Universität Darmstadt
Rechnerbetriebsgruppe Telefon (+49) 6151 16 6670
Wilhelminenstraße 7, D-64283 Darmstadt, Germany Fax (+49) 6151 16 4701
