Buffer
Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G.
Hogle.
http://sfsecurity.pr.erau.edu
All sorts of other far-fetched but deadly-serious things you should think about - Consequences.
Your software might be a
UNIX utility that spawns two processes.
One sets an environment variable to
either “CHUCKY” or “CHEESE”, and the second
reads it.
The reading process doesn’t bother to check the size
before it puts it in a buffer because it is
just an environment variable you made up and is guaranteed to have six characters, right? There is no user I/O involved.
But an attacker can force a race condition that changes the environment variable between when one process writes it
and when the other process reads
it. They give the environment
variable more than six characters causing a
buffer overflow. (Add getenv() to
the long list of dangerous library
functions.)