Hello,
I've added comments and used strncmp instead of strcmp, the thing I want to know is if this program is buffer-overflow free?
Also does anyone know how to test if my programs are at risk of being exploited? or do you know of a website that discusses this?
Code:
#include <stdio.h>
#include <string.h>
//#include <signal.h> //uncomment this to disable ctrl-c on UNIX type systems, but ctrl-z will still work.
int main(void)
{
char user1[] = "root"; //Change this to the username you want to use to login with.
char user2[6]; //Number of char's in variable user1 + 2 (new line char and NULL char)
char pass1[] = "toor"; //Change this to the password you want to use to login with.
char pass2[6]; //Number of char's in variable pass1 + 2 (new line char and NULL char)
signal(SIGINT, SIG_IGN);
/**********************************/
/* gets the username from keyboard*/
/**********************************/
printf ("\nUsername: ");
fflush(stdout);
if (fgets(user2, sizeof(user2), stdin))
{
char *p = strchr(user2, '\n');
if (p) *p = '\0';
/**********************************/
/* gets the password from keyboard*/
/**********************************/
printf ("\nPassword: ");
fflush(stdout);
if (fgets(pass2, sizeof(pass2), stdin))
{
char *p2 = strchr(pass2, '\n');
if (p2) *p2 = '\0';
/***********************************************************/
/*compares and verifys user input for username and password*/
/***********************************************************/
if (strncmp(user1, user2, 4) == 0)
{
if (strncmp(pass1, pass2, 4) == 0)
/************************************************************************/
/*prints "Welcome <username>!" if both username and password are correct*/
/************************************************************************/
printf ("\nWelcome %s!\n",user1);
else
/*************************************************************************/
/*prints "Invalid username and/or password!" if the username is incorrect*/
/*************************************************************************/
printf ("\nInvalid username and/or password!\n");
}
/*************************************************************************/
/*prints "Invalid username and/or password!" if the username is incorrect*/
/*************************************************************************/
else
printf ("\nInvalid username and/or password!\n");
}
}
/**********************************************/
/*returns control back to the operating system*/
/**********************************************/
return 0;
}