Analysis of the bug
===================

There are two bugs related to the num field in the objentry structure:

- the field is not updated when the default value is used;
- the field is updated and is not reset if the object creation fails.

Together, these two bugs can be abused to create a mismatch between
num and the actuall number of objects in the array.

Attack plan
===========

The idea is to exploit the bug to overlay an Echo object and a
Secret object.  Then, we can run the Secret object to load the
secret in memory, and then run the overlayed Echo object to reveal
the secret.

Attack implementation
=====================

We connect to the server
```
nc $HOST $PORT
```
First, we set the `num` field of entry 0 to a sufficiently large number
(3 is enough in this case):
```
    ox3
```
the above command fails, since `x` is not a recognized number, but
the `num` field of some entry will be set to 3.
Now we immediately create an Echo object with default size:
```
    oe
```
This will use entry 0 without updating `num`.  Now the program
thinks the Echo array has 3 elements, but only one has been allocated.
Next, we create a Secret object in entry 1:
```
    os
```
This will be allocated immediatly after the Echo object on the heap. By
experimenting with the debugger, we can see that the Echo object 
fake element with index 2 perfectly overlays the Secret object.
Now we load the secret
```
    r1
```
And finaly run the fake overlayed Echo object:
```
    r0,2
```

Suggested fix
=============

The `num` field of the allocated entry should be set to one when
the default value is used.

As an additional safety measure, `num` should be set only when the
object creation can no longer fail.