Smashing The Stack

This is a discussion on Smashing The Stack within the Linux Programming forums, part of the Platform Specific Boards category; Hi all. I have a program like this: Code: #include <stdio.h> #include <stdlib.h> #include <string.h> int check(char *password){ int auth_flag ...

  1. #1
    Registered User
    Join Date
    Feb 2008
    Posts
    3

    Smashing The Stack

    Hi all.

    I have a program like this:

    Code:
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    int check(char *password){
    	int auth_flag = 0;
    	char passw_buffer[16];
    
    	strcpy(passw_buffer,password);
    
    	if(strcmp(passw_buffer,"brullig") == 0)
    		auth_flag = 1;
    	if(strcmp(passw_buffer,"outgrabe") == 0)
    		auth_flag = 1;
    
    	return auth_flag;
    }
    int main(int argc, char *argv[]){
    
    	if(check(argv[1]))
    		printf("Access granted\n");
    	else
    		printf("Access denied\n");
    
    	return 0;
    }
    When I enter a big string in command-line, I get this:
    Code:
    spitz@nerdbox:~/Documents/BP> ./auth_overflow AAAAAAAAAAAAAAAAAAAAA
    Access granted
    I understand it, because my stack looks like this:

    [Bottom of stack/High Memory Adresses] auth_flag | buffer [top of stack / lower memory adresses].

    But then I switch auth_flag en buffer declaration like this:
    Code:
    int check(char *password){
    
    	char passw_buffer[16];
    	int auth_flag = 0;
    
    	strcpy(passw_buffer,password);
    
    	if(strcmp(passw_buffer,"brullig") == 0)
    		auth_flag = 1;
    	if(strcmp(passw_buffer,"outgrabe") == 0)
    		auth_flag = 1;
    
    	return auth_flag;
    }
    int main(int argc, char *argv[]){
    
    	if(check(argv[1]))
    		printf("Access granted\n");
    	else
    		printf("Access denied\n");
    
    	return 0;
    }
    When I run it again with a long string I get this:

    Code:
    spitz@nerdbox:~/Documents/BP> ./auth_overflow2 AAAAAAAAAAAAAAAAAAAAA
    Access granted
    How is it possible that the AAAA has overwritten the auth_flag int?

    I tought the stack in the second example would look like this:

    [Bottom Of Stack/High Memory Addresses] buffer | auth_flag [Top of Stack/ Low memory adresses]


    Can anyone explain me how it's possible that auth_flag got overwritten?


    Thanks in advance!

    PS: I'm using OpenSUSE 11.1, gcc version 4.3

  2. #2
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Why don't you use gcc -S to understand what the actual code does, and see how it is arranged yourself?

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. stack and pointer problem
    By ramaadhitia in forum C Programming
    Replies: 2
    Last Post: 09-11-2006, 11:41 PM
  2. Question about a stack using array of pointers
    By Ricochet in forum C++ Programming
    Replies: 6
    Last Post: 11-17-2003, 09:12 PM
  3. error trying to compile stack program
    By KristTlove in forum C++ Programming
    Replies: 2
    Last Post: 11-03-2003, 05:27 PM
  4. What am I doing wrong, stack?
    By TeenyTig in forum C Programming
    Replies: 2
    Last Post: 05-27-2002, 02:12 PM
  5. Stack Program Here
    By Troll_King in forum C Programming
    Replies: 7
    Last Post: 10-15-2001, 05:36 PM

Tags for this Thread


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21