Browse DevX
Sign up for e-mail newsletters from DevX

Tip of the Day
Language: C++
Expertise: All
Jul 7, 2000



Building the Right Environment to Support AI, Machine Learning and Deep Learning

Avoiding Buffer Overflows

Buffer overflows are a fertile source of bugs and malicious attacks. They occur when a program attempts to write data past the end of a buffer. Consider this example:

#include <stdio.h>
int main()
  char buff[15] = {0};  /*zero initialize all elements*/
  printf("enter your name: ");
  scanf(buff, "%s"); /*dangerous, length unchecked*/

The program reads a string from the standard input (the keyboard). The problem is it doesn't check the string's length. If the string has more than 14 characters, it causes a buffer overflow as scanf() tries to write the remaining characters past buff's end (remember that one character is always reserved for a null terminator). The result is most likely a runtime crash. On some systems, the users will receive a shell's prompt after the crash. Even if the shell has restricted privileges, the users can still examine the values of environment variables, list the current directory files or detect the network with the "ping" command.

That's not the worst thing that can happen, though. A more dangerous situation is when the program doesn't crash due to a buffer overrun. Experts who are familiar the system's internals can craft a string that is just long enough to overwrite the program's IP (instruction pointer, a pointer to the program's next instruction). If the last four bytes of such a string contain a valid memory address, the program's flow can be altered. For instance, instead of executing the next instruction, the program will execute the code to which the new IP points—it might call another routine, skip code that performs security checks, etc.

What can you do to avert buffer overruns? Always check the bounds of an array before writing it to a buffer. If this is impossible, e.g., when the input is coming from a CGI script, use functions that explicitly limit the number of input characters, e.g., instead of using scanf(), use the fgets() function which reads characters up to a specified limit:

#include <stdio.h>
int main()
 char buff[15] = {0};
 fgets(buff, sizeof(buff), stdin); /*read at most 14 chars*/

Additionally, the standard string functions have versions that take an explicit size limit. Thus, instead of strcpy(), strcmp(), and sprintf(), use strncpy(), strncmp(), and snprint(), respectively.

Danny Kalev
Thanks for your registration, follow us on our social networks to keep up-to-date