When traditional buffer overflows = denial of service on Symbian
With the advent of the Symbian mobile operating system we have been introduced to several new descriptors for different types of variables. These descriptors are used when writing software with Symbian's C++ API and are not standard C-style strings, but instead “classes” that perform strict type and length checking. These classes are designed to protect against buffer overflows and general memory corrupt bugs, among other things.
While this design is helpful because it stops overflows from overwriting the stack and heap, developers could develop a false sense of security. For what traditionally would have been a vulnerability that leads to arbitrary code execution, it is now potentially a vulnerability that causes a denial of service (DoS) condition.
Take the following code snippet as an example:
TBuf<5> Buf; //5 char buffer
_LIT(Boof,"AAAAAAAAAA"); // 10 chars
Buf.Copy(Boof); // Attempt to overflow
While I appreciate that this is an extreme example, my point is this: unless developers perform strict exception handling around code blocks (while they either parse or utilize user-supplied data), they run the risk that a denial of service condition will arise. The above code, when executed, will raise an exception ("Panic USER 11"). If the exception isn’t handled correctly, the application will then be closed by the operating system. So, while potentially not as dangerous as a classic overflow, it does impact availability.
To mitigate this vulnerability, any developer writing code for Symbian should always use exception handlers. And in that respect, a good tutorial on using Symbian exception handlers can be found here.