Overflow example and order of memory allocation

**sjmp** · 07-11-2013

Small code to show overflow

But when I compile and run - buffer_one is not being overwritten when the byte size of buffer_two overflows - can someone please explain why?

Code:

#include <stdio.h>#include <string.h>

int main(int argc, char *argv[]) {
  int value = 5;
  char buffer_one[8], buffer_two[8];

  strcpy(buffer_two, "two");    //Put "one" into buffer_one
  strcpy(buffer_one, "one");    //Put "two" into buffer_two

  printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
  printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
  printf("[BEFORE] value is at %p and is %d (0x%08x)\n", &value, value, value);

  printf("\n[STRCPY] copying %zu bytes into buffer_two\n\n", strlen(argv[1]));
  strcpy(buffer_two, argv[1]);  //Copy first argument into buffer_two.

  printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
  printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
  printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);
}

user@ubuntu:~/examples$ ./overflow_example 1234567890
[BEFORE] buffer_two is at 0x7fff918ff210 and contains 'two'
[BEFORE] buffer_one is at 0x7fff918ff200 and contains 'one'
[BEFORE] value is at 0x7fff918ff1fc and is 5 (0x00000005)

[STRCPY] copying 10 bytes into buffer_two

[AFTER] buffer_two is at 0x7fff918ff210 and contains '1234567890'
[AFTER] buffer_one is at 0x7fff918ff200 and contains 'one'
[AFTER] value is at 0x7fff918ff1fc and is 5 (0x00000005)
*** stack smashing detected ***: ./overflow_example terminated
Aborted (core dumped)

**anduril462** · 07-11-2013

Originally Posted by sjmp

But when I compile and run - buffer_one is not being overwritten when the byte size of buffer_two overflows - can someone please explain why?

The standard makes no guarantee that local variables appear on the stack in the order they are declared. Some systems/implementations do this. Many modern systems randomize variable locations specifically to help make buffer overflow attacks difficult. The only thing the standard does guarantee is that writing outside the bounds of an array will result in undefined behavior, which can almost be viewed as a complete lack of guarantee.

Originally Posted by sjmp

Also - why is the int variable argc declared in this example. I don't see it ever used.

You have two choices for main: no arguments, or argc and argv. You may not use argc, but it has to be there if you want to use argv. It gives you the length of argv, to make iterating through all the arguments in argv easier.

**sjmp** · 07-11-2013

Thank you - very clear.

**rcgldr** · 07-11-2013

Note the addresses from your print statements. The order of the variables were reversed on the stack, so buffer_one is "below" buffer_two, and "above" buffer_two is the portion of the stack used for main(), including the return address of whatever code that called main.

Thread: Overflow example and order of memory allocation

Thread Tools

Search Thread

Display

Overflow example and order of memory allocation

Similar Threads

Memory allocation overflow in c program

memory allocation

stack memory overflow checker

Memory Allocation

Memory Allocation