After nearly 15 years of hammering out tons of code on my personal time and guarding it like it was some sort of valuable trade secrete. My pet project (NetworkDLS) has decided to go open source.

How open source? Well, how about the full source code, installer scripts, documentation code, supplimental build tools and build instructions for each and evey one of our projects - under the MIT licence. You can sell it, compile it, customize and imbed it.

All official release will still be made to NetworkDLS.com, but the development process, nug tracking and change sets will be made publicly available at CodePlex.

Please, do me a huge favor and find some use in this effort!

>> NetworkDLS CodePlex <<

Today, I read a comprehensive article by Nagaraj Venkatesan related to getting a handle on SQL Server Page Splits. If you manage any SQL servers than I strongly recommend that you read this article... simply fantastic!

SQL and SQL only: Identifying Page Splits - by Nagaraj Venkatesan

It seems like more than a decade that I've been going back to that Virginia University page for a copy of lcc-win32. What's more is the fact that I have totally read and nearly memorized the copy of the "Windows API documentation" whose link is now defunct.

The simplicity of the build process was beautiful, the size of the created executables remains still to this day the smallest I've ever seen. If only the compiler and linker utilized better optimizing algorithms, I'd probably still be using it to this day for production coding.

Batch Build process:

lcc -O -unused -c Test.C
lcclnk -s -subsystem:console -o Test.Exe Test.obj

It should be noted, that I still use this compiler for hobbyist applications and still have hundreds of applications that compile flawlessly using both GCC and lcc-Win32!

In case you are not following, I’ll reiterate: This is old code so don’t give me grief. How old is the code?? I’m not sure exactly, but I was in Jr. High at the time. So again, no jabbing me for "crap code"!

Ok, the main() function has been fudged to show the purpose and functionality of the vulnerable procedure: "ParseRequest(...)"

The idea was to search for different parameters that were being passed over from an anonymous TCP/IP connection and then parse off the parameter text which would always be terminated by a line feed character (or optional carriage return character).

Can you spot the vulnerabilities? This code makes many assumptions about the "perfectly trustworthy" and "completely bug free" remote peer. This is a prime example of bad code.

We have potential underflows, overflows, and injection possibilities, potential out-of-bounds memory reading and writing, ect, ect... or to put it in layman's terms: this application would only have been "safe" if it were run on a machine with no networking capabilities period!

//-----------------------------------------------------------------------
char *ParseRequest(const char *sInput, char *sOutput)
{
 size_t iLen = strlen(sInput);
 size_t r = 0; //Read position.
 size_t w = 0; //Write position.
 
 //Skip the parameter marker.
 while(r == 0 || sInput[(r == 0 ? 1 : r) - 1] != ' ')
 {
  r++;
 }
 
 //Parse the parameter value.
 while(r < iLen && sInput[r] != '\r' && sInput[r] != '\n')
 {
  sOutput[w++] = sInput[r++];
 }
 
 sOutput[w] = 0; //NULL terminator.
 
 return sOutput;
}
 
//-----------------------------------------------------------------------
 
int main(int argc, char *argv[])
{
 char input[1024];
 char output[255];
 
 strcpy(input,
  "/P1 Param text 1\n"
  "/P2 Param text 2\n"
  "/P3 Param text 3\n"
  "/P4 Param text 4\n");
 
 for(size_t i = 0; i < strlen(input); i++)
 {
  if(input[i] == '/')
  {
   ParseRequest(input + i, output);
   printf("%s\n", output);
  }
 }
 
 return 0;
}
 
//-----------------------------------------------------------------------

Hints:

1. What would happen if the input wasn’t null nor carriage-return / line feed terminated?
2. What would happen if the input or any one of the parameter values were greater than 255 characters?
3. What would happen if the input contained no spaces between the parameter name (/P1) and its value (Param Text 1).
4. What if there were no spaces in the param text in conjunction with a missing space between the parameter name and its value?

The answer to all four questions? Hopefully a program crash! Otherwise malicious code could easily be injected for your happy application to execute!

Interestingly enough, just a week after I posted to my blog about the possibility of an entry about exploits, I receive an email about an exploit of one of my oldest (and most embarrassing) socket applications: "Finger Server". If you're under 20 years old at the time of this posting then you may need to perform a search for the term "finger Protocol".

I do not really care much for this application anymore but I'm not going to leave a utility with a known vulnerability available via a security website. That wouldn't seem right.

So, what's the exploit? What might one gain from exploiting the server? How can I fix it?

Fortunately, these are all pretty easy to answer when it comes to this application, mainly, because I have the source code and secondly because the heart of the program is only roughly 50 lines of C code. Yea, that'll be easy to patch up!

The replication issues may be comming to a close. Errors are now being skipped as well as erroneous LSNs.

I have already started on my next technical post so it shouldn't be long now.

I haven't forgotten about you, I'm suffering from a potentially fatal case of the "MSSQL Replication Woes".

While I enjoy programming (and posting tons of source code), I promise to delve into something less technical in the me-centric kind of way. Tell you what: next week I'll go technical in the exploit-centric kind of way. What do you want to destroy?
 
Though... the though process: "Exploit" to "Buffer Overrun" to "Denial of Service" to "Distributed Denial of Service" does have me leaning towards an article on distributed computing... which is of course my gravy.
 
We'll see what next week brings!

I've written applications that were bad and I’ve written some that were perfect, though it took me years to figure out why a few of the perfect applications were chewing 75% of my RAM. No matter, their still perfect to me...
 
On a serious note, have you ever written any C or C++ code? Yes? Good - Then you are already familiar with memory leaks!
 
Memory leaks occur when you allocate RAM and do not free it. On modern OS's these memory leaks are only potentially detrimental for the lifetime of the running application, that is, the badly managed resources are cleaned up after the leaky application is closed (or unexpectedly terminated). That said, memory leaks really begin to haunt you when writing long running applications or more specifically: services.
 
These leaks can be more than frustrating, I've turned my back on applications that I've dedicated years to because the manor of the memory's escaped was just too elusive (e.g. I've written bad applications).
 
How can we solve such a problem? Well, you can either attempt to be perfect and (on near certain failure) dump five times the development time into debugging or… use some manner of memory tracker.
 
I developed one of these "memory trackers" that I now include in all of my C++ projects – yes, even the small ones – you never know what they’ll grow into.
 
I call this magic tool: CMemoryPool (though, it's not really a memory pool).
 
How's it work? Well it’s simple really - it has 4 modes which are set by defining preprocessors.
 
Modes of Operation:

Disabled
In disabled mode, the memory tracker code is collapsed down to calls to your native malloc(), calloc(), and realloc(). Fully optimized - this mode is for the final release of your product.
 
General
In general mode, the memory tracker will keep track of the allocations that your program makes and raise a debug break when the class is deconstructed if all of the allocations that it witnessed were not cleaned up properly. This mode is faster than the following modes and that's pretty much the end of its advantages.
 
Advanced
In advanced mode (which should have been called "default mode"), the memory tracker will keep track of each allocation that your application makes as well as the number of bytes per allocation and the source code file name and the line number in the source file that the allocation originated from. Much like the previous mode, the class will trigger a debug break when the class is deconstructed if your application has not been well behaved.
 
Verbose
Verbose mode is slow. It's actually more than slow but I don’t want to appear dramatic by telling you that it's "insanely slow" or "near unusable" - despite the fact that these statements would be true. This mode functions exactly like the previous mode (Advanced) but it additionally opens a console (if you didn’t already open one) and prints verbose information about every memory allocation, reallocation and free to the console. Yea, you think memory allocation is slow now – try Verbose mode!
 
One last thing that should be noted about the memory tracker is that it is multi-thread safe – very multi-tread safe. It’s even safe to use with non-multi-thread safe standard libraries. This functionality can be disabled when running in the final "disabled" mode for your final release by ensuring that the "Sequential When Optimized" preprocessor is not defined in the class header.
 
You're not still reading are you? ....I call B.S.
 
Well, if your that interested, grab a copy of the CMemPool and start saving time!!