vulnerabilities using queues

Examine the queue management routines below. It handles any number
of queues, and returns a pointer to the queue that is created.
The header file - queueHeader.c - and queue manager - queeManager.c -
are below.

Write a main driver, queueMain.c and exercise these functions to get a
feel for it.

Analyze the code given and explain clearly any four vulnerabilities, each
description of about 5 -6 sentences - each vulnerability has to be a
very specific problem, not something general like buffer overflow etc.

For any ONE vulnerability, describe how you may fix it - NO need to write
actual (fix) code though.

For any ONE vulnerability, write an exploit, mainExploit.c --
exploit code should be readable and well-documented, else you get 0.

/**
         queueHeader.h header file
*/

/*
 * the queue structure
 */
typedef struct queue {
        int *que;               /* the actual array of queue elements */
        int head;               /* head index in que of the queue */
        int count;              /* number of elements in queue */
        int size;               /* max number of elements in queue */
} QUEUE;

/*
 * the library functions
 */
void queueManage(QUEUE **, int, int);   /* create or delete a queue */
void addToQueue(QUEUE *, int);  /* add to queue */
void removeFromQueue(QUEUE *, int *);   /* remove from queue */


/**
         queueManager.c source
*/

#include <stdlib.h>
#include "queueHeader.h"

/*
 * create or delete a queue
 *
 * PARAMETERS:  QUEUE **qptr    space for, or pointer to, queue
 *              int flag        1 for create, 0 for delete
 *              int size        max elements in queue
 */
void queueManage(QUEUE **qptr, int flag, int size)
{
        if (flag){
                /* allocate a new queue */
                *qptr = malloc(sizeof(QUEUE));
                (*qptr)->head = (*qptr)->count = 0;
                (*qptr)->que = malloc(size * sizeof(int));
                (*qptr)->size = size;
        }
        else{
                /* delete the current queue */
                (void) free((*qptr)->que);
                (void) free(*qptr);
        }
}

/*
 * add an element to an existing queue
 *
 * PARAMETERS:  QUEUE *qptr     pointer for queue involved
 *              int n           element to be appended
 */
void addToQueue(QUEUE *qptr, int n)
{
        /* add new element to tail of queue */
        qptr->que[(qptr->head + qptr->count) % qptr->size] = n;
        qptr->count++;

}

/*
 * take an element off the front of an existing queue
 *
 * PARAMETERS:  QUEUE *qptr     pointer for queue involved
 *              int *n          storage for the return element
 */
void removeFromQueue(QUEUE *qptr, int *n)
{
        /* return the element at the head of the queue */
        *n = qptr->que[qptr->head++];
        qptr->count--;
        qptr->head %= qptr->size;
}

Lol I'm sorry that something I learned 3 years ago and haven't used since is trumping me. I"m sure you guys don't remember everything from every class you have ever taken, especially if you don't use it often..

Anyways I pulled up my notes and I see that in the addQueue function it doesn't check if the queue is already full before it does it's work, and in the deleteQueue function it doesn't check if the queue is already empty before it does ITS work. Also something a classmate brought to my attention is how "(*qptr)->que = malloc(size * sizeof(int));" can be vulnerable because there is no checking the size of int, that it can overflow the result of the int queue and the same line can error if the size is -1. That's also true within the addQueue and deleteQueue functions.

>>9
>>15
Wow man, I'm sorry. I see why you were pretty upset that I couldn't understand what you were saying. You are saying exactly what I just said, but in example terms. The first example you set to size 2 and tried to enqueue 3 times, but it only fits two so it would throw an error. And the second example you created a queue but left it empty and try to dequeue which would throw an error.