Buffer Overflow Question

[Gunner]

Someone asked me about 1 of my apps:

I presume you have hardened your software in the case that one of the sites gets hacked/dns spoofed, and that it won't have a buffer overflow, or some other accidental behavior that could infect a users system?

I never really put any deep though into that, so here I ask everyone, If I do HttpQueryInfo to get the content length add 1 and HeapAlloc with that size could an overflow occur?  I am not getting a webpage or anything, it is a response to a query...

Code Select Expand


mov pdwBufferLength, sizeof NumRead
mov lpdwIndex, 0
invoke HttpQueryInfo, hFile, HTTP_QUERY_CONTENT_LENGTH or HTTP_QUERY_FLAG_NUMBER, addr NumRead, addr pdwBufferLength, addr lpdwIndex
mov ebx, NumRead
add ebx, 1

invoke HeapAlloc, hMainHeap, HEAP_ZERO_MEMORY, ebx
mov esi, eax
invoke InternetReadFile,  hFile, esi, ebx, addr NumRead
invoke InternetCloseHandle, hFile

Process the returned string here......


[box]

If you've never put thought into security, then don't write network apps of any kind in ASM =o

This particular code snippet shouldn't be vulnerable to buffer overruns since InternetReadFile never writes more data than specified in dwNumberOfBytesToRead.

If you aren't getting a web page, what exactly are you doing here? InternetReadFile is generally used to fetch a file using http or ftp, in which case you would normally write a loop to call it until it stops returning data.

[Gunner]

If you've never put thought into security, then don't write network apps of any kind in ASM =o

Security in my apps where I have control of the data... Yes I always think about that but I CAN control the data.... I can't control the data on the internet and just want to make sure it will be fine...
This particular code snippet shouldn't be vulnerable to buffer overruns since InternetReadFile never writes more data than specified in dwNumberOfBytesToRead.

If you aren't getting a web page, what exactly are you doing here? InternetReadFile is generally used to fetch a file using http or ftp, in which case you would normally write a loop to call it until it stops returning data.

I send  a query to a php page and the server returns a response that I then parse....  Depends on the server, it will send back the info either formatted as XML, JSON, or their own format...

[Tedd]

To avoid buffer overflows, you need to make sure you check that ANY data copied to any region of memory is strictly limited by length and the buffer is always large enough. Never assume 'it should be large enough' or that anything you receive will always be well-behaved or sane.
This includes seemingly simple things like strcpy - use strcpyn instead.

Getting the length and then allocating more than that (and checking the allocation succeeds :P) will be okay for that instance. Now check the rest of your program :bdg (particularly your parsers.)