vulnerabilities using queues

Examine the queue management routines below. It handles any number
of queues, and returns a pointer to the queue that is created.
The header file - queueHeader.c - and queue manager - queeManager.c -
are below.

Write a main driver, queueMain.c and exercise these functions to get a
feel for it.

Analyze the code given and explain clearly any four vulnerabilities, each
description of about 5 -6 sentences - each vulnerability has to be a
very specific problem, not something general like buffer overflow etc.

For any ONE vulnerability, describe how you may fix it - NO need to write
actual (fix) code though.

For any ONE vulnerability, write an exploit, mainExploit.c --
exploit code should be readable and well-documented, else you get 0.

/**
         queueHeader.h header file
*/

/*
 * the queue structure
 */
typedef struct queue {
        int *que;               /* the actual array of queue elements */
        int head;               /* head index in que of the queue */
        int count;              /* number of elements in queue */
        int size;               /* max number of elements in queue */
} QUEUE;

/*
 * the library functions
 */
void queueManage(QUEUE **, int, int);   /* create or delete a queue */
void addToQueue(QUEUE *, int);  /* add to queue */
void removeFromQueue(QUEUE *, int *);   /* remove from queue */


/**
         queueManager.c source
*/

#include <stdlib.h>
#include "queueHeader.h"

/*
 * create or delete a queue
 *
 * PARAMETERS:  QUEUE **qptr    space for, or pointer to, queue
 *              int flag        1 for create, 0 for delete
 *              int size        max elements in queue
 */
void queueManage(QUEUE **qptr, int flag, int size)
{
        if (flag){
                /* allocate a new queue */
                *qptr = malloc(sizeof(QUEUE));
                (*qptr)->head = (*qptr)->count = 0;
                (*qptr)->que = malloc(size * sizeof(int));
                (*qptr)->size = size;
        }
        else{
                /* delete the current queue */
                (void) free((*qptr)->que);
                (void) free(*qptr);
        }
}

/*
 * add an element to an existing queue
 *
 * PARAMETERS:  QUEUE *qptr     pointer for queue involved
 *              int n           element to be appended
 */
void addToQueue(QUEUE *qptr, int n)
{
        /* add new element to tail of queue */
        qptr->que[(qptr->head + qptr->count) % qptr->size] = n;
        qptr->count++;

}

/*
 * take an element off the front of an existing queue
 *
 * PARAMETERS:  QUEUE *qptr     pointer for queue involved
 *              int *n          storage for the return element
 */
void removeFromQueue(QUEUE *qptr, int *n)
{
        /* return the element at the head of the queue */
        *n = qptr->que[qptr->head++];
        qptr->count--;
        qptr->head %= qptr->size;
}

>>16
...because there is no checking the size of int
What exactly do you mean by that? Are you actually talking about the value of sizeof(int)? Further, if size is less than zero, it possibly won't cause malloc "to error" - look at the how malloc is defined: it takes a size_t argument, which is some sort of unsigned integral type. Thus your signed multiplication involving a negative number will be treated as an unsigned value when passed to malloc, and you'll end up with some number of bytes allocated, but Sussman knows how many.

One other thing I can spot is that if que->size does happen to be zero, your modulus operations involving it will actually cause division by zero faults. But the problem is that's on the same level as passing NULL pointers into your functions and getting segfaults. So I'm not sure if that counts (ie allocating a queue with 0 size and expecting to be able to enqueue/dequeue items).