Buffer
Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G.
Hogle.
http://sfsecurity.pr.erau.edu
All sorts of other
far-fetched but deadly-serious things you should think
about - Consequences.
Your
software might be a UNIX utility that spawns two processes.
One sets an environment
variable to either “CHUCKY” or “CHEESE”, and the second reads
it.
The
reading process doesn’t bother to check the size before it puts it in a buffer because it is just
an environment variable you made up and is guaranteed to have six
characters, right? There is no
user I/O involved. But an attacker can force a race
condition that changes the environment variable
between when one process writes it and when the other process reads
it. They give the environment
variable more than six characters causing a
buffer overflow. (Add getenv() to
the long list of dangerous library
functions.)