Segmentation fault

Here's the deal I'm not getting a segmentation fault when I'm suppose to.

Code:

#include <stdio.h> 
 
int call_me(void) 
{ 
  char buffer[10]; 
  scanf("%s", buffer); 
  printf("%s\n", buffer); 
  return 0; 
} 
 
int main(void) 
{ 
  call_me(); 
  return 0; 
}

Memory is accessed in words (4 bytes or 32 bits) so buffer[10] is really 12 bytes. Ok, so anything over 12 should overflow it and give a segmentation fault, correct? Well, this is not the case....

Code:

[nouse@localhost nouse]$ gcc -o vuln vuln.c
[nouse@localhost nouse]$ ./vuln
AAAABBBBCCCCDDDD
AAAABBBBCCCCDDDD
[nouse@localhost nouse]$ ./vuln
AAAABBBBCCCCDDDDEEEE
AAAABBBBCCCCDDDDEEEE
[nouse@localhost nouse]$ ./vuln
AAAABBBBCCCCDDDDEEEEFFFF
AAAABBBBCCCCDDDDEEEEFFFF
Segmentation fault
[nouse@localhost nouse]$

So the first attempt I use 16 bytes which should overflow the buffer (12 bytes) and sfp (saved frame pointer (4 bytes)) there after. Doesn't do it. Next, I use 20 bytes, which should overflow the buffer, spf, and ret (saved ip (4 bytes)). Finally, after 24 bytes I get a seg fault. 24 bytes to overflow a 12 byte buffer? What's going on?

Also, gdb isn't working with me either. I try to check my registers to see what's going on but it says there arn't any.

Code:

[nouse@localhost nouse]$ gdb vuln
GNU gdb 5.3-22mdk (Mandrake Linux)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-mandrake-linux-gnu"...
(gdb) info registers
The program has no registers now.
(gdb)

I must be missing something? Thanks for any help.

It's not guaranteed to generate a segfault if you write past the end of a buffer. It's just guaranteed to give "undefined results". Why are you trying to define an undefined result? There's no purpose in this type of exercise unless you're trying to do something malicious or some pointless trick.

EDIT: BTW, the reason "gdb isn't working" is because you're using it incorrectly. The program has to be running to get register information. Try using breakpoints.

Something like this:

Code:

itsme@itsme:~/C$ gdb malicious
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) list
4       {
5         char buffer[10];
6         scanf("%s", buffer);
7         printf("%s\n", buffer);
8         return 0;
9       }
10
11      int main(void)
12      {
13        call_me();
(gdb) break 6
Breakpoint 1 at 0x80483ba: file malicious.c, line 6.
(gdb) break 7
Breakpoint 2 at 0x80483cd: file malicious.c, line 7.
(gdb) run
Starting program: /home/itsme/C/malicious

Breakpoint 1, call_me () at malicious.c:6
6         scanf("%s", buffer);
(gdb) info registers
eax            0x10     16
ecx            0x4      4
edx            0xb7fd0b40       -1208153280
ebx            0xb7fcf60c       -1208158708
esp            0xbffff720       0xbffff720
ebp            0xbffff748       0xbffff748
esi            0xb8000900       -1207957248
edi            0xbffff7b4       -1073743948
eip            0x80483ba        0x80483ba
eflags         0x282    642
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0
(gdb) continue
Continuing.
foo

Breakpoint 2, call_me () at malicious.c:7
7         printf("%s\n", buffer);
(gdb) info registers
eax            0x1      1
ecx            0x0      0
edx            0x1      1
ebx            0xb7fcf60c       -1208158708
esp            0xbffff720       0xbffff720
ebp            0xbffff748       0xbffff748
esi            0xb8000900       -1207957248
edi            0xbffff7b4       -1073743948
eip            0x80483cd        0x80483cd
eflags         0x246    582
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0
(gdb) quit

Originally Posted by itsme86

It's not guaranteed to generate a segfault if you write past the end of a buffer. It's just guaranteed to give "undefined results". Why are you trying to define an undefined result? There's no purpose in this type of exercise unless you're trying to do something malicious or some pointless trick.

EDIT: BTW, the reason "gdb isn't working" is because you're using it incorrectly. The program has to be running to get register information. Try using breakpoints.

Something like this:

Code:

itsme@itsme:~/C$ gdb malicious
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) list
4       {
5         char buffer[10];
6         scanf("%s", buffer);
7         printf("%s\n", buffer);
8         return 0;
9       }
10
11      int main(void)
12      {
13        call_me();
(gdb) break 6
Breakpoint 1 at 0x80483ba: file malicious.c, line 6.
(gdb) break 7
Breakpoint 2 at 0x80483cd: file malicious.c, line 7.
(gdb) run
Starting program: /home/itsme/C/malicious

Breakpoint 1, call_me () at malicious.c:6
6         scanf("%s", buffer);
(gdb) info registers
eax            0x10     16
ecx            0x4      4
edx            0xb7fd0b40       -1208153280
ebx            0xb7fcf60c       -1208158708
esp            0xbffff720       0xbffff720
ebp            0xbffff748       0xbffff748
esi            0xb8000900       -1207957248
edi            0xbffff7b4       -1073743948
eip            0x80483ba        0x80483ba
eflags         0x282    642
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0
(gdb) continue
Continuing.
foo

Breakpoint 2, call_me () at malicious.c:7
7         printf("%s\n", buffer);
(gdb) info registers
eax            0x1      1
ecx            0x0      0
edx            0x1      1
ebx            0xb7fcf60c       -1208158708
esp            0xbffff720       0xbffff720
ebp            0xbffff748       0xbffff748
esi            0xb8000900       -1207957248
edi            0xbffff7b4       -1073743948
eip            0x80483cd        0x80483cd
eflags         0x246    582
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0
(gdb) quit

I wasn't saying "gdb isn't working" I was saying "gdb isn't working for me" implying that I'm doing something wrong, so no need to be so condescending. I appreciate you help though. Also, I figured out that it isn't entirely necessary to set breakpoints, all you have to do is "run" it.

Also, I'm not doing anything malicious. Just learning.

Good day. Thanks again for your help.

I wasn't trying to be condescending. I suggested breakpoints so you could check the registers at specific lines in your code. Just make sure you compile your program with the -g option.

Oh I see. Thanks.