漏洞利用C代码中不兼容的指针类型错误

时间:2012-12-21 20:07:25

标签: c exploit

我正在尝试编译以下漏洞利用代码以进行学习练习,并且已经对C中的指针进行了一些研究,但是我多次尝试修复代码对编译器错误消息没有影响。如果有人能指出我正确的方向,我会非常感激,我几乎没有C经验。

相关错误:

OFudge.c: In function ‘get_server_hello’:
OFudge.c:1009:5: warning: passing argument 2 of ‘d2i_X509’ from incompatible pointer
type [enabled by default]

第1009行:

ssl->x509=d2i_X509(NULL,&p,(long)cert_length);

整个功能:

void get_server_hello(ssl_conn* ssl)
{
    unsigned char buf[BUFSIZE];
    unsigned char *p, *end;
    int len;
    int server_version, cert_length, cs_length, conn_id_length;
    int found;

    if (!(len = read_ssl_packet(ssl, buf, sizeof(buf)))) {
        printf("Server error: %s\n", ssl_error(ntohs(*(uint16_t*)&buf[1])));
        exit(1);
    }
    if (len < 11) {
        printf("get_server_hello: Packet too short (len = %d)\n", len);
        exit(1);
    }

    p = buf;

    if (*(p++) != SSL2_MT_SERVER_HELLO) {
        printf("get_server_hello: Expected SSL2 MT SERVER HELLO, got %x\n", (int)p[-1]);
        exit(1);
    }

    if (*(p++) != 0) {
        printf("get_server_hello: SESSION-ID-HIT is not 0\n");
        exit(1);
    }

    if (*(p++) != 1) {
        printf("get_server_hello: CERTIFICATE-TYPE is not SSL CT X509 CERTIFICATE\n");
        exit(1);
    }

    n2s(p, server_version);
    if (server_version != 2) {
        printf("get_server_hello: Unsupported server version %d\n", server_version);
        exit(1);
    }

    n2s(p, cert_length);
    n2s(p, cs_length);
    n2s(p, conn_id_length);

    if (len != 11 + cert_length + cs_length + conn_id_length) {
        printf("get_server_hello: Malformed packet size\n");
        exit(1);
    }

    /* read the server certificate */
    ssl->x509 = NULL;
    ssl->x509=d2i_X509(NULL,&p,(long)cert_length);
    if (ssl->x509 == NULL) {
        printf("get server hello: Cannot parse x509 certificate\n");
        exit(1);
    }

    if (cs_length % 3 != 0) {
        printf("get server hello: CIPHER-SPECS-LENGTH is not a multiple of 3\n");
        exit(1);
    }

    found = 0;
    for (end=p+cs_length; p < end; p += 3) {
        if ((p[0] == 0x01) && (p[1] == 0x00) && (p[2] == 0x80))
           found = 1;  /* SSL CK RC4 128 WITH MD5 */
    }

    if (!found) {
        printf("get server hello: Remote server does not support 128 bit RC4\n");
        exit(1);
    }

    if (conn_id_length > SSL2_MAX_CONNECTION_ID_LENGTH) {
        printf("get server hello: CONNECTION-ID-LENGTH is too long\n");
        exit(1);
    }

    /* The connection id is sent back to the server in the CLIENT FINISHED packet */
    ssl->conn_id_length = conn_id_length;
    memcpy(ssl->conn_id, p, conn_id_length);
}

1 个答案:

答案 0 :(得分:0)

编译器清楚地告诉你问题是什么。它甚至告诉你哪个论点引起了这个问题。将预期的参数类型与作为参数传递的类型进行简单比较是如此困难吗?

根据这个

http://www.openssl.org/docs/crypto/d2i_X509.html

该函数需要const unsigned char **参数

X509 *d2i_X509(X509 **px, const unsigned char **in, int len);

您正在传递unsigned char **const unsigned char **unsigned char **是两种不同的类型,不能互相隐式转换。所以,这是你的错误。

相关问题
最新问题