Avoiding Buffer Overflows

Avoiding Buffer Overflows

Buffer overflows are a fertile source of bugs and malicious attacks. They occur when a program attempts to write data past the end of a buffer. Consider this example:

 #include int main(){  char buff[15] = {0};  /*zero initialize all elements*/  printf("enter your name: ");  scanf(buff, "%s"); /*dangerous, length unchecked*/}

The program reads a string from the standard input (the keyboard). The problem is it doesn’t check the string’s length. If the string has more than 14 characters, it causes a buffer overflow as scanf() tries to write the remaining characters past buff’s end (remember that one character is always reserved for a null terminator). The result is most likely a runtime crash. On some systems, the users will receive a shell’s prompt after the crash. Even if the shell has restricted privileges, the users can still examine the values of environment variables, list the current directory files or detect the network with the “ping” command.

That’s not the worst thing that can happen, though. A more dangerous situation is when the program doesn’t crash due to a buffer overrun. Experts who are familiar the system’s internals can craft a string that is just long enough to overwrite the program’s IP (instruction pointer, a pointer to the program’s next instruction). If the last four bytes of such a string contain a valid memory address, the program’s flow can be altered. For instance, instead of executing the next instruction, the program will execute the code to which the new IP points?it might call another routine, skip code that performs security checks, etc.

What can you do to avert buffer overruns? Always check the bounds of an array before writing it to a buffer. If this is impossible, e.g., when the input is coming from a CGI script, use functions that explicitly limit the number of input characters, e.g., instead of using scanf(), use the fgets() function which reads characters up to a specified limit:

 #include int main(){ char buff[15] = {0}; fgets(buff, sizeof(buff), stdin); /*read at most 14 chars*/}

Additionally, the standard string functions have versions that take an explicit size limit. Thus, instead of strcpy(), strcmp(), and sprintf(), use strncpy(), strncmp(), and snprint(), respectively.

Share the Post:
Heading photo, Metadata.

What is Metadata?

June 1, 2023

What is metadata? Well, It’s an odd concept to wrap your head around. Metadata is essentially the secondary layer of data that tracks details about the “regular” data. The regular

XDR solutions

The Benefits of Using XDR Solutions

May 24, 2023

Cybercriminals constantly adapt their strategies, developing newer, more powerful, and intelligent ways to attack your network. Since security professionals must innovate as well, more conventional endpoint detection solutions have evolved

AI is revolutionizing fraud detection

How AI is Revolutionizing Fraud Detection

May 23, 2023

Artificial intelligence – commonly known as AI – means a form of technology with multiple uses. As a result, it has become extremely valuable to a number of businesses across

AI innovation

Companies Leading AI Innovation in 2023

May 22, 2023

Artificial intelligence (AI) has been transforming industries and revolutionizing business operations. AI’s potential to enhance efficiency and productivity has become crucial to many businesses. As we move into 2023, several

data fivetran pricing

Fivetran Pricing Explained

May 17, 2023

One of the biggest trends of the 21st century is the massive surge in analytics. Analytics is the process of utilizing data to drive future decision-making. With so much of

Show More