Second, several of the local buffers are significantly
smaller than 65535 bytes, so the function had better be very careful how it copies information
into those buffers. Earlier, itwas mentioned that the buffer at line 172 is vulnerable
to an overflow. That seems a little difficult given that there is a 64KB buffer sitting
between it and the return address.
NOTE Local variables are generally allocated on the stack in the order in
which they are declared, which means that replybuf generally sits between
envstrings and the saved return address. Recent versions of gcc/g++ (version
4.1 and later) perform stack variable reordering, which makes variable
locations far less predictable.
The function proceeds to set some of the pointers by parsing the incoming packet,
which is expected to be formatted as follows:
id some_id_value\n
user some_user_name\n
password some_users_password\n
filename some_filename\n
keyword some_keyword\n
environ key=value key=value key=value ...\n
Chapter 12: Passive Analysis
287
PART IV
The pointers in the stack are set by locating the key name, searching for the following
space, and incrementing by one character position. The values become null terminated
when the trailing \n is located and replaced with \0.
Pages:
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521