discuss terminology: overflow (was Re: [VIM] Zoidcom ..)

security curmudgeon jericho at attrition.org
Wed May 18 05:40:49 EDT 2005 

: Multiple sources have referred to this as a buffer overflow, when it's 
: not an "overflow" at least as traditionally regarded.
: 
: According to Luigi Auriemma's report, the attack involves manipulating a 
: size field of a packet.  This size field, if too big, then causes 
: Zoidcom to "try to read the unallocated memory located after the packet 
: buffer or the library will exit immediately if the amount of bits is so 
: big that the target buffer cannot be allocated."
: 
: So there's bad buffer management, and modification of length fields is a 
: common attack these days, but in this case, there's no stack-smashing or 
: heap corruption.
: 
: I'm not sure what term to use, as the underlying bug is still basically 
: the same as the bugs that allow classic overflows, but to just say 
: "buffer overflow" seems inaccurate.

There a VDB dictionary anywhere? I imagine the original term was more 
vague and meant overflowing a buffer. After a while it morphed into the 
more well known overflow (stack smashing etc) but when you think about 
it.. who determines the meaning?

Another example that just came up with OSVDB. Unspecified vs Nondescript 
.. which is more appropriate? The older (1910 range) meaning is 
appropriate for our titles.

nondescript \non"de*script\, a. [Pref. non- + L. descriptus
   described.]
   1. Not hitherto described; hence, of no recognizable type or
      class; odd; abnormal; unclassifiable.
      [1913 Webster]

   2. Dull or uninteresting; undistinguished.
      [PJC]

Check a more recent dictionary listing though, and it has taken on the 
'dull' or 'drab' meaning.

nondescript

 adj : lacking distinct or individual characteristics; dull and 
 uninteresting; "women dressed in nondescript clothes"; "a nondescript 
 novel" [syn: characterless] n : a person is not easily classified and not 
 very interesting

So over time, nondescript turned into a term that wasn't ideal for 
describing vague security vulnerabilities, and 'unspecified' is more 
appropriate.

Point being.. has 'overflow' started as one thing, turned into another, 
and now ends up being accurate if the original meaning is applied? In this 
case there is a small buffer being provided too much information, and the 
program acting poorly. Isn't that "overflowing" the buffer?

More information about the VIM mailing list