Avoiding Buffer Overflows

Buffer overflows are a fertile source of bugs and malicious attacks. They occur when a program attempts to write data past the end of a buffer. Consider this example:


int main()


char buff[15] = {0}; /*zero initialize all elements*/

printf("enter your name: ");

scanf(buff, "%s"); /*dangerous, length unchecked*/


The program reads a string from the standard input (the keyboard) but doesn't check the string's length. If the string has more than 14 characters, then it causes a buffer overflow as scanf() tries to write the remaining characters past buff's end (remember that one character is always reserved for a null terminator). The result is most likely a segmentation fault that crashes the program. In certain conditions, the users will receive a shell's prompt after the crash. Even if the shell has restricted privileges, they can examine the values of environment variables, list the current directory files or detect the network with the ping command.

A more dangerous situation evolves when the program doesn't crash due to a buffer overflow though. An expert familiar the system's internals can craft a string that is just long enough to overwrite the program's IP (instruction pointer, a pointer to the program's next instruction). If the last 4 bytes of such a string contain a valid memory address, then the program's flow can be altered. Instead of executing the next instruction, the program will execute the code to which the new IP points. It might call another routine or skip code that performs security checks. I will not go through the gory details here, but this isn't an unlikely scenario.

Some famous break-ins are based on exploiting such buffer overflows. One well-documented example is the Red Hat 4.2 suiperl bug, which resulted from using the function sprintf() (see http://www.ryanspc.com/exploits/perl.txt for further information).

What can you do to avert buffer overflows? Always check the bounds of an array before writing it to a buffer. If this is impossible (e.g., when the input is coming from a CGI script), then use functions that limit the number of input characters. For instance, instead of using scanf(), use the fgets() function, which reads characters up to a specified limit:

int main()


char buff[15] = {0};

fgets(buff, sizeof(buff), stdin); /*read at most 14 chars*/


Additionally, the standard string functions have versions that take an explicit size limit. Thus, instead of strcpy(), strcmp(), and sprintf (), use strncpy(), strncmp(), and snprint(), respectively.

Join the newsletter!

Error: Please check your email address.

More about AvertINSRed Hat

Show Comments