This is the mail archive of the
mailing list for the GCC project.
Re: Buffer Overflow Attacks
- To: Florian Weimer <fw at deneb dot enyo dot de>
- Subject: Re: Buffer Overflow Attacks
- From: "Joseph S. Myers" <jsm28 at cam dot ac dot uk>
- Date: Sun, 14 Oct 2001 20:27:55 +0100 (BST)
- cc: <gcc at gcc dot gnu dot org>
On Sun, 14 Oct 2001, Florian Weimer wrote:
> The struct hack for character arrays results in strictly conforming
> programs because arithmetic on pointers to a character type is not
> restricted in any way, as long the enclosing object is not left. This
> is a consequence of 22.214.171.124(7).
[#7] A pointer to an object or incomplete type may be
converted to a pointer to a different object or incomplete
type. If the resulting pointer is not correctly aligned57)
for the pointed-to type, the behavior is undefined.
Otherwise, when converted back again, the result shall
compare equal to the original pointer. When a pointer to an
object is converted to a pointer to a character type, the
result points to the lowest addressed byte of the object.
Successive increments of the result, up to the size of the
object, yield pointers to the remaining bytes of the object.
The problem is, what is "the object"? In the struct hack, it is quite
arguably an array of size 1 within the structure - not the larger area
within which the structure was allocated.
Joseph S. Myers