Buffer Overflow Question(From a Book)

[TommyFeticini]

I bought a book to understand how programs work, stacks, heaps, etc. I'm still on the introduction part where it's giving you an example of a buffer overflow. The only problem is that I can't understand why my output won't match the book. I would understand it if it worked but...I can't put the pieces together. Shed some light if you could.

Code:

#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
   int value = 5;
   char buffer_one[8], buffer_two[8];
   
   strcpy(buffer_one, "one"); /* Put "one" into buffer_one. */
   strcpy(buffer_two, "two"); /* Put "two" into buffer_two. */
   
   printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
   printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
   printf("[BEFORE] value is at %p and is %d (0x%08x)\n", &value, value, value);
   
   printf("\n[STRCPY] copying %d bytes into buffer_two\n\n",  strlen(argv[1]));
   strcpy(buffer_two, argv[1]); /* Copy first argument into buffer_two. */
   
   printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
   printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
   printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value); 
}

Here are the results I have.

[BEFORE] buffer_two is at 0x7fff494e9210 and contains 'two'
[BEFORE] buffer_one is at 0x7fff494e9220 and contains 'one'
[BEFORE] value is at 0x7fff494e920c and is 5 (0x00000005)

[STRCPY] copying 10 bytes into buffer_two

[AFTER] buffer_two is at 0x7fff494e9210 and contains '1234567890'
[AFTER] buffer_one is at 0x7fff494e9220 and contains 'one'
[AFTER] value is at 0x7fff494e920c and is 5 (0x00000005)

Here is what it's supposed to look like.

[BEFORE] buffer_two is at 0xbffff7f0 and contains 'two'
[BEFORE] buffer_one is at 0xbffff7f8 and contains 'one'
[BEFORE] value is at 0xbffff804 and is 5 (0x00000005)
[STRCPY] copying 10 bytes into buffer_two
[AFTER] buffer_two is at 0xbffff7f0 and contains '1234567890'
[AFTER] buffer_one is at 0xbffff7f8 and contains '90'
[AFTER] value is at 0xbffff804 and is 5 (0x00000005)

Notice how in the after section buffer_one isn't getting overwritten

[quzah]

The only way '1234567890' is going to end up there is if you actually called your program with that as an argument from the command line. Did you?


Quzah.

[TommyFeticini]

Yeah I did. You can see in both examples that it started off as two and went to 1234567890 But it doesn't overflow into the next memory char array

[cas]

The problem is that when you have a buffer overflow, you get undefined behavior, but your book is apparently expecting some specific behavior.

There is absolutely no guarantee that buffer_one and buffer_two will be adjacent, and if they are, there is no requirement that buffer_one be right after buffer_two: it could be the other way around. I have compilers that lay them out both ways.

[Salem]

Mmm, does this book mention any specific compiler in the title, or in the introduction?

If so, it probably isn't worth reading.
Books written with reference to one specific compiler all too often document the compiler, and NOT the language. Any decent book would have told you to expect absolutely ANYTHING from your tests, not a specific result.

Now consider how many other "Well, this compiler does this...." statements which are in the book, but presented as flawed "the language does..." statements. Do you still want to waste time learning these?

[msh]

You can see by memory addresses that buffer_one and buffer_two are actually 10 bytes apart in your example, but 8 bytes apart in the book's example. I can't say why that is, but this is the reason why you don't see the expected overlap.

However, the following code can give you a more reproducible behavior.

Code:

#include <stdio.h>
#include <string.h>

typedef struct block
{
  char buffer_two[8];
  char buffer_one[8];
} BLOCK;


int main(int argc, char **argv)
{
  BLOCK b;
  strcpy(b.buffer_one, "one");
  strcpy(b.buffer_two, "two");

  printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", &b.buffer_two, b.buffer_two);
  printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", &b.buffer_one, b.buffer_one);

  printf("\n[STRCPY] copying %d bytes into buffer_two\n\n",  strlen(argv[1]));

  printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", &b.buffer_two, b.buffer_two);
  printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", &b.buffer_one, b.buffer_one);

  return 0;
}

This is because a structure will be allocated as a single block of memory, rather then two as in your example. Caveat is that this could again depend on the compiler to work.

[Elysia]

The point is, you probably won't get the same output as the book because the behavior is undefined. That is, we cannot be sure what will happen or when and how.