Can anyone explain/show to me how this code gets an input, as well as how this code is vulnerable to an arc injection by buffer overflow?

Question

Can anyone tell me how this code gets an input, as well as how this code is vulnerable to an arc injection by buffer overflow??

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>

Sets Size to 65

enum {SIZE = 65};

Variable that I'm trying to change

int True = 0;
char name[SIZE];
FILE *f;
int i = 0;

How does this read from a file?

void read(char *s) {
   int c;
   char buffer[SIZE];

   for (;;) 
   {
      c = getchar();
      if ((c == EOF) || (c == '\n')) 
         break;
      buffer[i] = c;
      i++;
   }
   buffer[i] = '\0';

   for (i = 0; i < SIZE; i++) 
      s[i] = buffer[i];
}


int main(void) {
   read(name);

   if (!True) 
     printf("%s: You are a hacker\n", name);
   else
     printf("%s: You are not a hacker\n", name);

How can you not use a return value?

   exit(0);
}

Answer 1

This code gets an input through 'stdin;. By default, this would be done by keyboard input. However, it may also possible to 'pipe' the content of a file into 'stdin' when loading the program on the command line.

This code is vulnerable to an arc injection by buffer overflow. Specifically, if more than 65 characters are copied into 'name' array, the value of 'True' will be overwritten. Most likely, this will change the value of 'True' to a non-zero value. This will reverse the 'if (!True)' and cause the line 'printf("%s: You are a hacker\n", name);' to execute.

Answer 2

This is the line that can cause buffer overflow

  buffer[i] = c;

since you are not checking whether i is within bounds before that statement.

When that happens, you are most likely going to override the part of stack frame that contains code since there is no other function variable after buffer.

I ran the program by piping the contents of a file that contains 100 As in it to the stdin of the program. I got the following message, which confirmed my suspicion.

>> cat test-121.in | ./test-121
*** stack smashing detected ***: ./test-121 terminated
Aborted

I don't see how that could change the value of True at all.

BTW, you have:

if (!True) 
  printf("%s: You are a hacker\n", name);
else
  printf("%s: You are not a hacker\n", name);

did you mean if (True)?? You have initialized True to 0.

Update

You asked: How can you not use a return value?

Answer: return statement is optional for main. Here's a section of the description of main from http://en.cppreference.com/w/cpp/language/main_function.

(4) The body of the main function does not need to contain the return statement: if control reaches the end of main without encountering a return statement, the effect is that of executing return 0;