buffer overflow

**zaccameron** · 09-23-2020

Im pretty new to c programming, but this program seems pretty simple. Its supposed to introduce some easy buffer overflow. I can spot the 14 bytes reserved for answer but actually being allowed 20 bytes pretty easily. Im wondering how can this be used to guess the value of the guess in the program?I have attached some sample output which has left me pretty confused. The printf's have been added by me to try and help me figure it out

Code:

int main()
{
    int n = 0;
    int guess=0;
    char answer[14];


    srand(time(0)); 
    do {
        guess = rand();
    printf("actual is %d ", guess);
        printf("Input a number: ");
        fgets(answer,20,stdin);
    printf("actual is %d ", guess);
        n = atoi(answer);
    printf("");
    printf("guess is %d", n);
        if(n == guess) {
            break;
        } 
        printf("Incorrect! Guess again (y/n)? ");
        fgets(answer,4,stdin);
    }
    while(answer[0] == 'y');


    return 0;
}

**Salem** · 09-23-2020

Try printing your guesses in hex.
It's a bit more obvious which bytes of your guess are being messed with by your string overflow.

**flp1969** · 09-23-2020

It is not true if you allocate an array of 14 bytes it will ocuppy 14 bytes on stack... It can ocupy from 16 to 32 bytes, depending on optimizations, platform and alignment.

It is not true that local objects of 'primitive' types are allocated on stack. They can be allocated on registers, by the compiler.

**john.c** · 09-23-2020

This works for me (without optimizations).

Code:

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
 
int main()
{
    int n = 0;
    int guess=0;
    char answer[14];
 
    srand(time(0)); 
    guess = rand();
 
    do {
        unsigned char *p = (unsigned char*)&guess;
        printf("actual is %d", guess);
        printf("  (%02x %02x %02x %02x)\n", p[0], p[1], p[2], p[3]);
 
        printf("Input a number: ");
        fgets(answer, 20, stdin); // enter: 808464432     0000
                                  // (that's 5 spaces before the zeroes)
        p = (unsigned char*)&guess;
        printf("actual is %d", guess);
        printf("  (%02x %02x %02x %02x)\n", p[0], p[1], p[2], p[3]);
 
        n = atoi(answer);
        printf("guess is %d\n", n);
        if (n == guess)
            break;
 
        printf("Incorrect! Guess again (y/n)? ");
        fgets(answer, 4, stdin);
    }
    while (answer[0] == 'y');
 
    return 0;
}

Note that the ascii code for '0' is 0x30, and 0x30303030 is 808464432.
(Obviously I'm assuming 4-byte ints and that guess starts right after the 14-byte answer array, which seems to be the case for me.)

Have you given up on the other program?
Do you know the answer?
If there is an online link associated with it, post it.

Also, always post an entire program, complete with headers.
And avoid posting pictures. Instead, copy and paste the text of terminal output.

**flp1969** · 09-23-2020

One thing to notice on John's code:

Code:

...
int main()
{
    int n = 0;
    int guess=0;
    char answer[14];
 
    srand(time(0)); 
    guess = rand();
 
    do {
        // this *probably* forces guess to be allocated on the stack,
        // because you cannot take an address of a register...
        unsigned char *p = (unsigned char*)&guess;

        printf("actual is %d", guess);

        // ... and you need to use that pointer somewhere, so the compiler,
        // don't optimize the code and get rid of it.
        printf("  (%02x %02x %02x %02x)\n", p[0], p[1], p[2], p[3]);

        printf("Input a number: ");
        fgets(answer, 20, stdin); // enter: 808464432     0000
                                  // (that's 5 spaces before the zeroes)
...

Without that pointer trick, 'guess' could be allocated in a register and the code don't work.

Anyway... it was a nice demonstration from John...

**john.c** · 09-23-2020

@flp1969, that's an interesting point. However, without optimization, it still works even without the pointer (and getting rid of the printing of individual bytes). I think non-optimized code usually just sticks everything on the stack.

Interestingly, with optimizations (-O2 on clang), it doesn't work even with the pointer. Although this could have been due to the value being stored on the stack in a different position so that the trick no longer works, looking at the assembly code, it actually keeps the main value in a register and stores the separate bytes in four other registers! (The pointer disappears.)

There's no easy way to know what's going on under the hood these days without actually looking.

**flp1969** · 09-23-2020

Originally Posted by john.c

There's no easy way to know what's going on under the hood these days without actually looking.

Code:

███████████████████████████████████████
█████████████▓▒░░░░░░░░▒███████████████
███████████▓░░░░░░░░░░░░░▒█████████████
██████████▒░░░▓▓░░░░░░░░░░░▓███████████
█████████░░░░████░░░░░░░░░░░▒██████████
████████░░░░▓█┌┌██░░░░░░░░░░░░█████████
███████░░░░░█▓┌┌┌██░░░░░░░░░░░▒████████
██████░░░░░░▓▓┌┌┌┌█▒░░░░░░░░░░░▓███████
████▓░░░░░░░░█┌┌┌┌┌█░░░░░░░░░░░░░██████
████░░░░░░░░░█▒┌┌┌┌█▓░░░░░░░░░░░░▓█████
███▓░░░░░░░░░█▓┌┌┌┌▓█░░░░░░░░░░░░░█████
███░░░░░░░░░░▓█┌┌┌┌░█░░░░░░░░░░░░░▓████
██▓░░░░░░░░░░▓█┌┌┌┌▒█░░░░░░░░░░░░░░████
██▒░░░░░░░░░░▒█┌┌┌┌▓█░░░░░░░░░░░░░░▓███
██░░░░░░░░░░░▒█┌┌┌┌▓▓░░░░░░░░░░░░░░▒███
█▓░░░░░░░░░░░▓█┌┌┌┌█▓░░▒▒▒░░░░░░░░░░███
█▒░░░░░░░░░░░█▓┌┌┌┌▓█████████▓░░░░░░███
█░░░░░░░░░░░░█░┌┌┌┌┌█▒┌┌┌┌░▒███▓░░░░███
█░░░░░░░░░░░▓█┌┌┌┌┌┌█┌┌┌┌░▓▓┌┌▒██░░░███
█░░░░░░░░░░░█▒┌┌┌┌┌┌█░┌▓██▓▒┌┌┌┌██░░███
█░░░░░░░░░░▓█┌┌┌┌┌┌┌█┌▓█▒┌┌┌┌┌┌┌┌█░░███
█░░░░░░░░░▒█┌┌┌┌┌┌┌░██▓┌┌┌┌┌┌┌┌┌░█░░███
█░░░░░░░░░█▓┌┌┌┌┌┌┌████┌┌┌┌┌┌┌┌▒█▓░░███
█░░░░░░░░░█░┌┌┌┌┌┌┌█░┌██▒┌┌┌▒██▓▒█░░███
█░░░░░░░░▒█┌┌┌┌┌┌┌┌┌┌┌░███████░┌┌█▒░███
█░░░░░░░░▓█┌┌┌┌┌┌┌┌┌┌▒█┌┌┌┌┌┌┌┌┌┌▓▓░███
█░░░░░░░░█▓┌┌┌┌┌┌┌┌┌▓█┌┌┌┌┌┌┌┌┌┌┌█▓░███
█░░░░░████▒┌┌┌┌┌┌┌┌┌░█┌┌┌┌┌┌┌┌┌▒██░░███
█░░░░▓██▓█┌┌┌┌┌┌┌┌┌┌┌██▓░┌░▒▓██▓█▓░░███
█░░░░██┌┌█┌┌┌┌┌┌┌┌┌┌░▓▒██████▓┌┌┌█░░███
█▓░░░█▒┌░█┌┌┌┌┌┌┌┌┌┌▓█┌┌┌┌┌┌┌┌┌┌▒█░░███
██░░░█▒┌┌█┌┌┌┌┌┌┌┌┌▓███┌┌┌┌┌┌┌┌┌█▓░▒███
██▒░░▓▓┌┌█▒┌┌┌┌┌┌┌┌█░┌██▒┌┌┌┌┌░██░░████
███░░▒█┌┌▒█┌┌┌┌┌┌┌┌█┌┌┌▓███▓████▒░░████
███░░░█▓┌┌█▓┌┌┌┌┌┌┌█▒┌┌┌┌▓███▓░█░░▓████
███▓░░▒█┌┌┌█▓┌┌┌┌┌┌▒█┌┌┌┌┌┌┌┌┌▓█░░█████
█████░░░█▓┌┌┌▓██▓┌┌┌┌█▓░┌┌┌▒██▒░░██████
█████▓░░░██┌┌┌█████▒┌┌▓█████▓░░░███████
██████░░░░█████▒░▒████████▓░░░░▓███████
███████░░░░▓██▓░░░░░░▒▒░░░░░░░▒████████
████████░░░░░░░░░░░░░░░░░░░░░▒█████████
██████████▒░░░░░░░░░░░░░░░░▓███████████
████████████▒░░░░░░░░░░░░▒█████████████

Thread: buffer overflow

Thread Tools

Search Thread

Display

buffer overflow

Similar Threads

Buffer Overflow

buffer overflow detected

buffer overflow

Buffer overflow errors

Tags for this Thread