Avoiding Buffer Overflows
Buffer overflows are a fertile source of bugs and malicious attacks.
They occur when a program attempts to write data past the end of a
buffer. Consider this example:
#include
int main()
{
char buff[15] = {0}; /*zero initialize all elements*/
printf("enter your name: ");
scanf(buff, "%s"); /*dangerous, length unchecked*/
}
The program reads a string from the standard input (the keyboard) but
doesn't check the string's length. If the string has more than 14
characters, then it causes a buffer overflow as scanf() tries to write
the remaining characters past buff's end (remember that one character
is always reserved for a null terminator). The result is most likely a
segmentation fault that crashes the program. In certain conditions, the
users will receive a shell's prompt after the crash. Even if the shell
has restricted privileges, they can examine the values of environment
variables, list the current directory files or detect the network with
the ping command.
A more dangerous situation evolves when the program doesn't crash due
to a buffer overflow though. An expert familiar the system's internals
can craft a string that is just long enough to overwrite the program's
IP (instruction pointer, a pointer to the program's next instruction).
If the last 4 bytes of such a string contain a valid memory address,
then the program's flow can be altered. Instead of executing the next
instruction, the program will execute the code to which the new IP
points. It might call another routine or skip code that performs
security checks. I will not go through the gory details here, but this
isn't an unlikely scenario.
Some famous break-ins are based on exploiting such buffer overflows.
One well-documented example is the Red Hat 4.2 suiperl bug, which
resulted from using the function sprintf() (see
http://www.ryanspc.com/exploits/perl.txt for further information).
What can you do to avert buffer overflows? Always check the bounds of
an array before writing it to a buffer. If this is impossible (e.g.,
when the input is coming from a CGI script), then use functions that
limit the number of input characters. For instance, instead of using
scanf(), use the fgets() function, which reads characters up to a
specified limit:
int main()
{
char buff[15] = {0};
fgets(buff, sizeof(buff), stdin); /*read at most 14 chars*/
}
Additionally, the standard string functions have versions that take an
explicit size limit. Thus, instead of strcpy(), strcmp(), and sprintf
(), use strncpy(), strncmp(), and snprint(), respectively.
» posted by ITworld staff
ITworld
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
