[VIM] Zoidcom 1.0 beta 4 crash - not an overflow

Steven M. Christey coley at mitre.org
Tue May 17 19:37:18 EDT 2005


  BUGTRAQ:20050510 Crash in Zoidcom 1.0 beta 4

Multiple sources have referred to this as a buffer overflow, when it's
not an "overflow" at least as traditionally regarded.

According to Luigi Auriemma's report, the attack involves manipulating
a size field of a packet.  This size field, if too big, then causes
Zoidcom to "try to read the unallocated memory located after the
packet buffer or the library will exit immediately if the amount of
bits is so big that the target buffer cannot be allocated."

So there's bad buffer management, and modification of length fields is
a common attack these days, but in this case, there's no
stack-smashing or heap corruption.

I'm not sure what term to use, as the underlying bug is still
basically the same as the bugs that allow classic overflows, but to
just say "buffer overflow" seems inaccurate.

- Steve

More information about the VIM mailing list