# HG changeset patch
# User Christian Urban <christian dot urban at kcl dot ac dot uk>
# Date 1444326375 -3600
# Node ID 92c49c160b24e05f54f7f2a193e081cd7b024d88
# Parent  fb0c844a26cf373111ebeb43c55a3cd710060f00
updated

diff -r fb0c844a26cf -r 92c49c160b24 handouts/ho03.pdf
Binary file handouts/ho03.pdf has changed
diff -r fb0c844a26cf -r 92c49c160b24 handouts/ho03.tex
--- a/handouts/ho03.tex	Thu Oct 08 17:06:48 2015 +0100
+++ b/handouts/ho03.tex	Thu Oct 08 18:46:15 2015 +0100
@@ -375,7 +375,10 @@
 
 \begin{figure}[p]
 \lstinputlisting[language=C]{../progs/C2.c}
-\caption{A vulnerable login implementation.\label{C2}}
+\caption{A vulnerable login implementation. The use of the
+`own' \pcode{get\_line} function makes this program
+vulnerable. The developer should have used \emph{safe}
+library functions instead.\label{C2}}
 \end{figure}
 
 This kind of attack was very popular with commercial programs
@@ -432,6 +435,7 @@
 
 \lstinputlisting[language=C,numbers=none]{../progs/o2.c}
 
+\noindent
 While not too difficult, obtaining this string is not entirely
 trivial using \pcode{gdb}. Remember the functions in C that
 copy or fill buffers work such that they copy everything until
diff -r fb0c844a26cf -r 92c49c160b24 progs/README
--- a/progs/README	Thu Oct 08 17:06:48 2015 +0100
+++ b/progs/README	Thu Oct 08 18:46:15 2015 +0100
@@ -64,6 +64,10 @@
   ./C4 "%s"
   ./C4 `./args4`
 
+This vulnerability does not need the defences, but prints out
+the string only correctly with `./args4`. The %s option needs
+
+  -mpreferred-stack-boundary=2
 
 
 ------------------------------------
diff -r fb0c844a26cf -r 92c49c160b24 slides/slides03.pdf
Binary file slides/slides03.pdf has changed