Tuesday, August 02, 2005

Simple Yet Common Again

int catvars(char *buf1, char *buf2, unsigned int len1,
unsigned int len2){
char mybuf[256];

if((len1 + len2) > 256){
return -1;
}

memcpy(mybuf, buf1, len1);
memcpy(mybuf + len1, buf2, len2);

do_some_stuff(mybuf);

return 0;
}

4 comments:

Sid said...

The second memcpy can be used to overflow "mybuf" if the value of "len1" is less than the actual length of string "buf1". The problem is basically because the code trusts the user to provide the correct value for "len1".

Let me know if I am missing something.

Alpha0 said...

Did you notice len1 + len2 > 256 ?

pvncad said...

Integer overflow,

check len1 > 256 and len2 > 256
bfore chekcing len1 + len2 > 256

does it contains more bugs?

Alpha0 said...

It has two bugs..