Wireshark-dev: Re: [Wireshark-dev] [Wireshark-commits] rev 25171:/trunk/epan/dissectors/ /trunk

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxxxx>
Date: Fri, 25 Apr 2008 21:49:40 -0400

Does this help – in particular the read_from_network() function and comments I added?

- Chris

 

#include <stdio.h>

#include <stdlib.h>

 

typedef unsigned short uid_t;

 

static void dowork(uid_t u);

static int read_from_network(void);

 

int main(int argc, char **argv)

{

    int x;

 

    x  = read_from_network();

 

    /* Squish root (it's not safe to execute dowork() with uid(0) */

    if ( x == 0 )

    {

        printf("Uid %u not allowed.\n", x);

        exit(1);

    }

    dowork(x);

    return (0);

} /* main() */

 

static void dowork(uid_t u)

{

    printf("Doing work as uid %u.\n", u);

} /* dowork() */

 

static int read_from_network(void)

{

    /* I'm a sneaky guy and exploited the fact that the return value

     * is an int, although I know only the lower 16 bits will be used.

     * This is how I can end up "doing work" as root. */

    return (0xffff0000);

} /* read_from_network() */

 

From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Jeff Morriss
Sent: Friday, April 25, 2008 9:34 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] [Wireshark-commits] rev 25171:/trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-umts_fp.c

 

 

On Fri, Apr 25, 2008 at 7:49 PM, Luis EG Ontanon <luis@xxxxxxxxxxx> wrote:

On Fri, Apr 25, 2008 at 10:17 PM, Jeff Morriss
<jeff.morriss.ws@gmail.com> wrote:

>  Guy Harris wrote:
>  >       http://www.cs.berkeley.edu/~wychen/cs261/proposal.htm
>
>  If Figure 1 is really a problem then my understanding of C just went out
>  the window...


I wouldn't have got this by myself without the explanation  but if you
read the code as:

typedef unsigned short uid_t;

void dowork(uid_t u);
int main() {
   int x = read_from_network();
   // Squish root (it's not safe to   execute dowork() with uid 0)
   if ( (x & 0x0000ffff) == 0) exit(1);
   //       ^^^^^^^^^^^^^
   dowork(x);
}

you would have noticed the issue.


I get what he's saying but I just don't get it:  why would the compiler convert from int to unsigned short *before* it has to send the value into the call to dowork()?  E.g., 'x' should be an int until I (explicitly or implicitly) cast it to something else, non?  Actually it should still be an int after the call to dowork(); it just won't be an int when dowork() gets it.


Maybe I need to go back to school because I'm feeling very noobish right now.