Summary

At the time of this writing, the whole level 2 game is misguided. The fix is not only in that extra checking whether the index is negative, like it is suggested in solution.c. The fix is more about the redesign of the API and concomitant code to apply the information hiding principle by restricting access to the user account structure. An end user should never work directly with low level data. They should only receive a minimum amount of data by which they can be adequately authenticated and authorized by a target system.

How to reproduce

Change line number 1 in hack.c to reference solution.c instead of code.h. Insert the following line in hack.c before the final tests whether admin rights have been acquired:

ua->isAdmin = true;

How to Fix the Bug

Any attacker would seek the path of least resistance to achieve their goals. Why would anyone bother passing negative indexes to the update procedure, when all they need to perform is simply set the matching field to true?

Therefore, the function create_user_account should return a user id whilst update_setting should receive this id. A separate function should be available to read the user's status based upon their id. At any moment in time, all what a user would hold is their unique id and never work with implementation level structures.

Of course, besides making the above changes all inputs must be properly validated, including the suggested change for checking against a negative index value.