windows - C++ casting to base and "overwriting" vptr issue -

-

i reading new c++ challenge: http://blogs.msdn.com/b/vcblog/archive/2014/02/04/challenge-vulnerable-code.aspx

the supplied code if full of issues, obvious programming habits, visible c++ natives :-)

it described in comments, 1 particular line (37) particularly dangerous:

imagefactory::debugprintdimensions((imagefactory::customimage*)image);

the function calls virtual method of customimage (defined first time in customimage).

this allegedly causes first member of customimage treated vptr of instance (it's unique_ptr actually) , make binary pointed treated executable (perhaps malicious) code..

while can understand this, wonder why work.

customimage virtual class, (probably) first 4 bytes (just assume x86) vptr, , unique_ptr member next.. , since cast doesn't seem shifting anything...

... how possible execute data held unique_ptr?

my take (and i'm more happy corrected):

here, customimage polymorphic class (with vptr first "member" under windows abi), imageis not. order of definitions means imagefactory functions know customimage is an image, main() not.

so when factory does:

image* imagefactory::loadfromdisk(const char* imagename) {     return new (std::nothrow) customimage(imagename); }

the customimage* pointer converted image* , fine. because image not polymorphic, pointer adjusted point (pod) image instance inside customimage -- crutially, after vptr, because comes first in polymorphic class in ms abi (i assume).

however, when to

imagefactory::debugprintdimensions((imagefactory::customimage*)image);

the compiler sees c-style cast 1 class knows nothing another. take address has , pretend it's customimage* instead. address in fact points image within custom image; because image empty, , presumably empty base class optimisation in effect, ends pointing first member within customimage, i.e. unique_ptr.

now, imagefactory::debugprintdimensions() assumes it's been handed pointer fully-complete customimage, address equal address of vptr. hasn't -- it's been handed address of unique_ptr, because @ point @ called, compiler didn't know better. dereferences thinks vptr (really data we're in control of), looks offset of virtual function , blindly exectutes -- , we're in trouble.

there couple of things have helped mitigate this. firstly, since we're manipulating derived class via base class pointer, image should have virtual destructor. have made image polymorphic, , in probability wouldn't have had problem (and wouldn't leak memory, either).

secondly, because we're casting base-to-derived, dynamic_cast should have been used rather c style cast, have involved run-time check , correct pointer adjustment.

lastly, if compiler had information hand when compiling main(), might have been able warn (or performed cast correctly, adjusting polymorphic nature of customimage). moving class definitions above main() recommended too.


Comments

Post a Comment

Popular posts from this blog

python - Subclassed QStyledItemDelegate ignores Stylesheet -

-
i'm trying subclass qstyleditemdelegate remove focus rectangle in qcombobox . even though i'm calling base implementation of paint function , nothing else, result different. looks if parts of style-sheet influence bounding box of item taken consideration. class pstyleditemdelegate(qstyleditemdelegate): def __init__(self, *args, **kwds): super(pstyleditemdelegate, self).__init__(*args, **kwds) def paint(self, *args, **kwargs): qstyleditemdelegate.paint(*args, **kwargs) what have paint unmodified qstyleditemdelegate ? as suggested tried replacing pyside pyqt4 , works, appears bug. update pyside 1.1.2 1.2.1 result same. unfortunately switch breaks other parts of code, if there no other suggestions i'm going accept answer. edit bug tracked here
Read more

java - HttpClient 3.1 Connection pooling vs HttpClient 4.3.2 -

-
i have used httpclient3.1(java) connection pooling below : import org.apache.commons.httpclient.httpclient; import org.apache.commons.httpclient.multithreadedhttpconnectionmanager; import org.apache.commons.httpclient.params.httpclientparams; import org.apache.commons.httpclient.params.httpmethodparams; import org.apache.log4j.logger; public class httpclientmanager { private static logger logger = logger.getlogger(httpclientmanager.class); private static multithreadedhttpconnectionmanager connectionmanager = new multithreadedhttpconnectionmanager(); private static httpclientparams clientparams = new httpclientparams(); static { try { clientparams.makelenient(); clientparams.setauthenticationpreemptive(false); clientparams.setparameter(httpmethodparams.so_timeout, new integer(30000)); // set so_timeout clientparams.setparameter(httpmethodparams.head_body_check_timeout, new integer(3000)); // head responses ...
Read more

node.js - StackOverflow API not returning JSON -

-
i using node.js script gather data stackoverflow. know responses gzipped, put code in should take care of that. script follows: var request = require('request'); var zlib = require('zlib'); function getstackoverflowresponse(url, callback){ request(url, {encoding: null}, function(err, response, body){ if(response.headers['content-encoding'] == 'gzip'){ zlib.gunzip(body, function(err, dezipped) { callback(dezipped); }); } else { callback(body); } }); } var url = "https://api.stackexchange.com/docs/questions#pagesize=2&order=desc&min=2014-01-04&max=2014-02-02&sort=activity&tagged=apigee&filter=default&site=stackoverflow&run=true"; getstackoverflowresponse(url, function(questions) { console.log(questions); }); instead of getting json output, i'm getting following response: buffer 0d 0a 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48...
Read more