Im pretty bad at programming. Have an exam in a few hours and need to understand whats happening here.
Examine the code fragments below and report on three key items: a) the class/type of the vulnerability; b) the exact cause of the problem; and c) the code fix to be put in place to mitigate the vulnerability.
Code:int grab_request (char buf[], int buf_len) { int i; for (i=0; i< buf_len; i++) { /* put things into buf */ } buf[i] = ‘\0’; return i; }
Are you going to give us your thoughts on what the answers might be, or are you just waiting for the answers to be handed out?
the honest truth is i am confused. this is the answer i tried to give my lecturer. the marks havent come bac as yet so am not sure but i have an exam tomorrow.
Code #/Type Type of Vulnerability
Exact cause/Problem Mitigation 5/C Buffer overflow - If buf[] size is buf_len you will be accessing your array out of bounds when you try to insert the end of string character into the string at buf[i] = ‘\0’;. Because when you reach this point i will be equal to buf_len. Defining the size of buf_len as a constant would help to know the size of the buf_lenwould greatly help.
#define BUF_LEN 48
So that at the for loop it can appear like this
for (int i=0; i < 48; i++)
with the 48 replacing the buf_len or even leaving buf_len as is but defined.
You seem to have a decent understanding of the scenario, based on the "type of vulnerability" and "exact cause/problem." But the "mitigation" doesn't seem quite right - that's where you should focus.
Perhaps a read-up on strings will show you the right way to correct the "problem" in the original code.
how about this
1.Type of Vulnerability:Buffer Overflow. strncpy insecureCode:function foo(char * param) { char local[100]; /* do stuff */ strncpy(local, param, strlen(param)); /* do more stuff */ }
2.Cause of Problem: strncpy doesn't automatically null-terminate the string being copied into.
3.Code Fix: To safely use strncpy, one must either (1) manually stick a null character onto the result buffer, (2) know that the buffer ends with a null beforehand, and pass (length-1) to strncpy, or (3) know that the buffer will never be copied using any method that won't bound its length to the buffer length.
Think about it like this, what is the value of i when you do buf[i] = '\0' ?
1. Get rid of gets(). Never ever ever use it again. Replace it with fgets() and use that instead.
2. Get rid of void main and replace it with int main(void) and return 0 at the end of the function.
3. Get rid of conio.h and other antiquated DOS crap headers.
4. Don't cast the return value of malloc, even if you always always always make sure that stdlib.h is included.
