i have problem with my code...

**jayton** · 02-14-2005

Hello,

I have written a small password program but was told that it is insecure and that a buffer overflow could be executed with it.
I have tried to secure it by using help I found on this site.

The problem occurs only when I enter the wrong username and correct password. The out put is like this:
C:\Dev-Cpp\jayton>pass4

Username: root //correct username

Password: toor //correct password

Welcome

C:\Dev-Cpp\jayton>pass4

Username: flag //wrong username
toor //does'nt ask for password, this is the correct password

Welcome

Code:

/***** code starts here ******/
//pass5.c    
// http://faq.cprogramming.com/cgi-bin/smartfaq.cgi?answer=1057537653&id=1043284385


#include <stdio.h> 
#include <string.h> 

int main(void)
{
  char user1[] = "root";
  char user2[6];
  char pass1[] = "toor";
  char pass2[6];  
  char *p = strchr(user2, '\n');
  char *p2 = strchr(pass2, '\n');
  
  printf ("\nUsername: ");
  fflush(stdout);
  if (fgets(user2, sizeof(user2), stdin))
  {
         if (p) *p = '\0';
    
    printf ("\nPassword: "); 
    fflush(stdout);
    if (fgets(pass2, sizeof(pass2), stdin))
  {

     // printf ("\nyou entered %s as your username\n", user2); // uncomment this for testing purposes.
     
    if (p2) *p2 = '\0';
    if (strcmp(user1, user2) == 0)
    if (strcmp(pass1, pass2) == 0)
      printf ("\nWelcome!\n", user1);

    else
      printf ("\nInvalid username and/or password!\n");
  }}
  
  return 0;
}


/***** code ends here *****/

thanks in advance,
Jayton

**Prelude** · 02-14-2005

Your logic seems to be flawed with the if statements. Remember that without braces, an else clause will always bind to the nearest if clause. But the biggest problem is that you call strchr on uninitialized arrays:

Code:

#include <stdio.h> 
#include <string.h> 

int main(void)
{
  char user1[] = "root";
  char user2[6];
  char pass1[] = "toor";
  char pass2[6];  

  printf ("\nUsername: ");
  fflush(stdout);
  if (fgets(user2, sizeof(user2), stdin))
  {
    char *p = strchr(user2, '\n');
    if (p) *p = '\0';

    printf ("\nPassword: "); 
    fflush(stdout);
    if (fgets(pass2, sizeof(pass2), stdin))
    {
      char *p2 = strchr(pass2, '\n');
      if (p2) *p2 = '\0';
      if (strcmp(user1, user2) == 0) {
        if (strcmp(pass1, pass2) == 0)
          printf ("\nWelcome!\n", user1);
      }
      else
        printf ("\nInvalid username and/or password!\n");
    }
  }

  return 0;
}

[edit]
By the way, toor is a really bad password. Especially for a user named root.

[/edit]

**jayton** · 02-14-2005

Thanks for getting back,

Good point, I have recompiled the code you posted and ran the program and found that when you enter the username correct and password wrong it does not print "Invalid and/or password!" Now does this mean that the program aborted for some reason or is not parsing the data correctly or skipping the last printf statement?

The username/password do not matter as they can be changed to suit the needs of the user implementing the program.

**Prelude** · 02-14-2005

>Now does this mean that the program aborted for some reason or is not parsing
It means I forgot to add all of the code I meant to.

If you print the error for the outer if statement then nothing will be printed if the password is incorrect. If you print the error for the inner if statement then nothing will be printed if the user name is incorrect. So you need to print the error for both:

Code:

if (strcmp(user1, user2) == 0) {
  if (strcmp(pass1, pass2) == 0)
    printf ("\nWelcome!\n", user1);
  else
    printf ("\nInvalid username and/or password!\n");
}
else
  printf ("\nInvalid username and/or password!\n");

**jayton** · 02-15-2005

Hello,
I've added comments and used strncmp instead of strcmp, the thing I want to know is if this program is buffer-overflow free?

Also does anyone know how to test if my programs are at risk of being exploited? or do you know of a website that discusses this?

Code:

#include <stdio.h> 
#include <string.h> 
//#include <signal.h>  //uncomment this to disable ctrl-c on UNIX type systems, but ctrl-z will still work.

int main(void)
{
  char user1[] = "root";    //Change this to the username you want to use to login with.
  char user2[6];            //Number of char's in variable user1 + 2 (new line char and NULL char)
  char pass1[] = "toor";    //Change this to the password you want to use to login with.
  char pass2[6];            //Number of char's in variable pass1 + 2 (new line char and NULL char)


signal(SIGINT, SIG_IGN);



/**********************************/
/* gets the username from keyboard*/
/**********************************/
        printf ("\nUsername: ");
        fflush(stdout);
    if (fgets(user2, sizeof(user2), stdin))
  {
        char *p = strchr(user2, '\n');
    if (p) *p = '\0';

/**********************************/
/* gets the password from keyboard*/    
/**********************************/
            printf ("\nPassword: "); 
            fflush(stdout);
    if (fgets(pass2, sizeof(pass2), stdin))
                   {
            char *p2 = strchr(pass2, '\n');
      if (p2) *p2 = '\0';


/***********************************************************/
/*compares and verifys user input for username and password*/
/***********************************************************/
      if (strncmp(user1, user2, 4) == 0) 
      {
      if (strncmp(pass1, pass2, 4) == 0)

/************************************************************************/
/*prints "Welcome <username>!" if both username and password are correct*/
/************************************************************************/
                     printf ("\nWelcome %s!\n",user1);
         else

/*************************************************************************/
/*prints "Invalid username and/or password!" if the username is incorrect*/
/*************************************************************************/
                     printf ("\nInvalid username and/or password!\n");
       }


/*************************************************************************/
/*prints "Invalid username and/or password!" if the username is incorrect*/
/*************************************************************************/
        else
                     printf ("\nInvalid username and/or password!\n");
    }
  }
/**********************************************/
/*returns control back to the operating system*/
/**********************************************/
  return 0;
}

**Prelude** · 02-15-2005

>I've added comments
The C style comments are way over the top. You can remove all of them and not lose an ounce of clarity. The C++ style comments are not technically legal unless you're compiling as C99, but at least they're relatively descriptive beyond what the code says.

>and used strncmp instead of strcmp
Why? Now you've just locked the program to 4 character long user names and passwords. strncmp won't save you from buffer overflow (as that seems to be your reason for the change) unless one of the strings isn't '\0' terminated after the limit.

>the thing I want to know is if this program is buffer-overflow free?
It's not in any immediate danger, if that's what you're worried about.

Thread: i have problem with my code...

Thread Tools

Search Thread

Display

i have problem with my code...

is this buffer-overflow free?

Similar Threads

Code problem

Problem with game code.

problem with selection code

C / OpenGL help REALLY needed for simple but annoying problem!

Help with code for simple Y2K problem