Avoiding Buffer Overflows

Avoiding Buffer Overflows

Buffer overflows are a fertile source of bugs and malicious attacks. They occur when a program attempts to write data past the end of a buffer. Consider this example:

 #include int main(){  char buff[15] = {0};  /*zero initialize all elements*/  printf("enter your name: ");  scanf(buff, "%s"); /*dangerous, length unchecked*/}

The program reads a string from the standard input (the keyboard). The problem is it doesn’t check the string’s length. If the string has more than 14 characters, it causes a buffer overflow as scanf() tries to write the remaining characters past buff’s end (remember that one character is always reserved for a null terminator). The result is most likely a runtime crash. On some systems, the users will receive a shell’s prompt after the crash. Even if the shell has restricted privileges, the users can still examine the values of environment variables, list the current directory files or detect the network with the “ping” command.

That’s not the worst thing that can happen, though. A more dangerous situation is when the program doesn’t crash due to a buffer overrun. Experts who are familiar the system’s internals can craft a string that is just long enough to overwrite the program’s IP (instruction pointer, a pointer to the program’s next instruction). If the last four bytes of such a string contain a valid memory address, the program’s flow can be altered. For instance, instead of executing the next instruction, the program will execute the code to which the new IP points?it might call another routine, skip code that performs security checks, etc.

What can you do to avert buffer overruns? Always check the bounds of an array before writing it to a buffer. If this is impossible, e.g., when the input is coming from a CGI script, use functions that explicitly limit the number of input characters, e.g., instead of using scanf(), use the fgets() function which reads characters up to a specified limit:

 #include int main(){ char buff[15] = {0}; fgets(buff, sizeof(buff), stdin); /*read at most 14 chars*/}

Additionally, the standard string functions have versions that take an explicit size limit. Thus, instead of strcpy(), strcmp(), and sprintf(), use strncpy(), strncmp(), and snprint(), respectively.

See also  How HealthStream Learning Center Supports Healthcare Education and Compliance

About Our Editorial Process

At DevX, we’re dedicated to tech entrepreneurship. Our team closely follows industry shifts, new products, AI breakthroughs, technology trends, and funding announcements. Articles undergo thorough editing to ensure accuracy and clarity, reflecting DevX’s style and supporting entrepreneurs in the tech sphere.

See our full editorial policy.

About Our Journalist