[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: false asumption or security flaw?
"johan '97" <joe197@puspa.cs.ui.ac.id> writes:
> On Thu, 24 Aug 2000, Tim Robbins wrote:
>
> > You're creating a reference of type int (int &) with the value of 8 in a
> > roundabout kind of way. Yuck. That shouldn't dump core because it does
> > nothing wrong, but whatever you're trying to do I'll bet that isn't the
> > right way to do it :)
>
> the fact that i have freed the memory pointed by 'x', but still "legally"
> can be accessed by the reference variable 'a' (shown by the no dumping
> off the program) should imply that this piece of memory can be allocated
> not only to one user/process but also many user/process which can be
> devestating in effect!
Ok, I don't know for reference,
but I assume that is the same logic as pointer one.
So, let's write this exemple in C :
int main () {
int *x = (int *) malloc(sizeof(int));
int *a;
*x = 9;
a = x;
printf("%d, %d\n", *a, *x);
*a = 3;
printf("%d, %d\n", *a, *x);
free(x);
*a = 10;
printf("%d, %d\n", *a, *x);
}
9, 9
3, 3
10, 10
After having freed "x", "a" is a dangling pointer,
which mean that it point to an address in memory, which,
*for this case* was referenced but isn't anymore.
The result in this case is undefined,
I assume that you do not core because the address do not
point outside your process address space.
--
-- Yoann http://www.mandrakesoft.com/~yoann/
An engineer from NVidia, while asking him to release cards specs said :
- "Actually, we do write our drivers without documentation."
Kernel-audit: discussion list for security and the linux kernel
Archive: http://mail.nl.linux.org/kernel-audit/