Hunting squid
2009-02-12 08:19:01
By Tim Brown
So after the latest squid advisory I thought I might take a look at it to see if there were any other gems waiting to be found.
So since I'm lazy, I ran cppchecker on the code base which found this gem in squid_kerb_auth.c within the gethost_name function:
char hostname[MAXHOSTNAMELEN]; ... hostname[MAXHOSTNAMELEN]='\0';
The last line will compile down to:
movb $0x0,0x0(%rbp)
which has the effect of smashing the last byte of the old $rbp (which is used by the calling function) which is stored on the stack:
![[stackframe-cdecl.gif - stack frame layout]](http://www.unixwiz.net/images/stackframe-cdecl.gif)
Such that when the function returns $rbp may no longer be pointing at a valid address.
Note that since C arrays start at 0, the effected line should read:
hostname[MAXHOSTNAMELEN - 1]='\0';
Sadly this is unlikely to be exploitable in any useful fashion but it did help me finally get my head around x86 function calling conventions.
Mood: Awake
Music: Fear Factory
You are unknown, comment