From: The Learning from Mistakes Dept.

 

A few months back eEye found an exploitable buffer overrun in Symantec’s Remote Management software what caught my eye was the nature of the bug, and I think this is coding construct we should all learn from.

 

You’re no doubt familiar with issues with strncpy and strncat, I’ve blogged about it in the past but this bug is a new twist, it’s an integer underflow when calculating the buffer size:

 

strncat(dst, src, N – strlen(src));

 

N is a constant, probably the len of the destination buffer, but the real issue is the attacker controls src, so he can make it any length he wants, and if src is longer than N, then, well you know the rest!

 

So when you’re reviewing code, look out for this little gem.