-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path3.c
72 lines (57 loc) · 1.67 KB
/
3.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
static void read_underflow(int cond)
{
char *dest, src[] = "abcd56789", *orig;
printf("%s(): cond %d\n", __FUNCTION__, cond);
dest = malloc(25);
if (!dest)
printf("malloc failed\n");
orig = dest;
strncpy(dest, src, strlen(src));
if (cond) { /* Bug, below.. */
*(orig-1) = 'x';
dest --;
}
printf(" dest: %s\n", dest);
free(orig);
}
//It does not even cause a crash. At first glance, bugs such as this might appear fairly harmless—the truth, though, is that this is a really dangerous bug!
static void read_overflow_dynmem(void)
{
char *arr;
arr = malloc(5);
if (!arr)
printf("malloc failed\n");
memset(arr, 'a', 5);
/* Bug 1: Steal secrets via a buffer overread.
* Ensure the next few bytes are _not_ NULL.
* Ideally, this should be caught as a bug by the compiler,
* but isn't! (Tools do; seen later).
*/
arr[5] = 'S'; arr[6] = 'e'; arr[7] = 'c';
arr[8] = 'r'; arr[9] = 'e'; arr[10] = 'T';
printf("arr = %s\n", arr);
/* Bug 2, 3: more read buffer overflows */
printf("*(arr+100)=%d\n", *(arr + 100));
printf("*(arr+10000)=%d\n", *(arr + 10000));
free(arr);
}
//we deliberately do not null-terminate the first buffer (but do so on the second one), so, the printf(3) that will emit on arr continues reading into the second buffer, tmp. What if the tmp buffer contains secrets?
static void read_overflow_compilemem(void)
{
char arr[16], tmp[16];
memset(arr, 'a', 16);
memset(tmp, 't', 16);
tmp[15] = '\0';
printf("arr = %s\n", arr); /* Bug: read buffer overflow */
}
int main()
{
read_overflow_compilemem();
//read_overflow_dynmem();
//read_underflow(0);
//read_underflow(1);
return 0;
}