Is it an example of a stack based buffer overflow when characters written into one local array appear in another local array

StackOverflow https://stackoverflow.com/questions/18885905

  •  29-06-2022
  •  | 
  •  

Domanda

I'm trying to trigger a buffer overflow by using the below code in order to understand the vulnerability better.

I have certain fields, some have a width specified to try to prevent the overflow, but I left that out in one case (firstName) to leave the overflow possible:

char firstName[21], surName[31], job[16];

printf("Enter first name: ");
scanf("%s", firstName);
printf("Enter surname: ");
scanf("%30s", surName);
printf("Enter job name : ");
scanf("%15s", job);

So now when I input the following: 

UmbertoTestingOverflow
Example
Janitor

The recorded variables show as:

UmbertoTestingOverfoExample
Example
Janitor

According to my understanding of buffer overflow, the extra characters in firstname should have ran over into another field, but in this case it has taken user input from another variable and added it to first name. So is this buffer overflow behavior or is something else causing this?

È stato utile?

Soluzione

Yes, this is overflowing buffers on the stack.

The firstName input did overflow into surName. But you then changed surName when you input that, and it overwrote the characters with Example.

Because you overflowed firstName, there is no null-terminator on the string, so it looks like firstName is longer than it actually is. It then had the "end" of it overwritten (because those bytes belonged to another variable).

This is actually undefined behaviour. You don't know where the compiler will put your buffers in the stack.

To prevent overflowing your buffers, you should use fgets to read strings, not scanf:

fgets( firstName, 21, stdin );

Altri suggerimenti

Yes, this is buffer overflow behavior.

Line 4, the firstname scanf, did indeed encounter a buffer overflow. It saved the long name beginning at firstName and continuing into the space occupied by surName. It concluded with a zero terminator, of course.

Line 6 then overwrote the long name with the new surname "Example", starting at surName. It also concluded with a zero terminator.

printf of firstName then begins at the start of firstName and continues, past the end of firstName into surName, until it finds a zero terminator.

When buffer overflow is used as an exploit, it would generally be where firstName is scanned AFTER surName, so that the overflow it writes will not itself be overwritten.

Yes, you overflowed the first array into the second.

On the first assignment, firstName contained UmbertoTestingOverflo and the first character of surName was set to w. On the second assignment, surName was set to Example.

When you printed firstName it kept printing letters until it encountered the \0 character which was at the end of surName. The memory associated with job was never altered.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top