Avoiding Buffer Overflows

Buffer overflows are a fertile source of bugs and malicious attacks. They occur when a program attempts to write data past the end of a buffer. Consider this example:

 #include int main(){  char buff[15] = {0};  /*zero initialize all elements*/  printf("enter your name: ");  scanf(buff, "%s"); /*dangerous, length unchecked*/}

The program reads a string from the standard input (the keyboard). The problem is it doesn’t check the string’s length. If the string has more than 14 characters, it causes a buffer overflow as scanf() tries to write the remaining characters past buff’s end (remember that one character is always reserved for a null terminator). The result is most likely a runtime crash. On some systems, the users will receive a shell’s prompt after the crash. Even if the shell has restricted privileges, the users can still examine the values of environment variables, list the current directory files or detect the network with the “ping” command.

That’s not the worst thing that can happen, though. A more dangerous situation is when the program doesn’t crash due to a buffer overrun. Experts who are familiar the system’s internals can craft a string that is just long enough to overwrite the program’s IP (instruction pointer, a pointer to the program’s next instruction). If the last four bytes of such a string contain a valid memory address, the program’s flow can be altered. For instance, instead of executing the next instruction, the program will execute the code to which the new IP points?it might call another routine, skip code that performs security checks, etc.

What can you do to avert buffer overruns? Always check the bounds of an array before writing it to a buffer. If this is impossible, e.g., when the input is coming from a CGI script, use functions that explicitly limit the number of input characters, e.g., instead of using scanf(), use the fgets() function which reads characters up to a specified limit:

 #include int main(){ char buff[15] = {0}; fgets(buff, sizeof(buff), stdin); /*read at most 14 chars*/}

Additionally, the standard string functions have versions that take an explicit size limit. Thus, instead of strcpy(), strcmp(), and sprintf(), use strncpy(), strncmp(), and snprint(), respectively.

Share the Post:
Share on facebook
Share on twitter
Share on linkedin

Overview

The Latest

microsoft careers

Top Careers at Microsoft

Microsoft has gained its position as one of the top companies in the world, and Microsoft careers are flourishing. This multinational company is efficiently developing popular software and computers with other consumer electronics. It is a dream come true for so many people to acquire a high paid, high-prestige job

your company's audio

4 Areas of Your Company Where Your Audio Really Matters

Your company probably relies on audio more than you realize. Whether you’re creating a spoken text message to a colleague or giving a speech, you want your audio to shine. Otherwise, you could cause avoidable friction points and potentially hurt your brand reputation. For example, let’s say you create a

chrome os developer mode

How to Turn on Chrome OS Developer Mode

Google’s Chrome OS is a popular operating system that is widely used on Chromebooks and other devices. While it is designed to be simple and user-friendly, there are times when users may want to access additional features and functionality. One way to do this is by turning on Chrome OS