Okay let's take a look at this wrong scanf-implementation:
Code:
#include <stdio.h>
int main(void) {
char *buff[20];
scanf("%s",buff);
printf("%s\n",buff);
return 0;
}
If I take now a large enough input to write over the basepointer or even eip , I'm getting a segfault. The correct usage would be of course scanf("%20s",buff);.
But now take a look at this:
Code:
#include <stdio.h>
#include <stdlib.h>
int main(void) {
char *buff;
buff = malloc(20);
scanf("%s",buff);
printf("%s\n",buff);
return 0;
}
No matter how large the input was it never crashed in my tests but read everything and printed everything out again. Just if I free the memory after the printf-instruction again with free(buff); I'm crashing:
Code:
*** glibc detected *** ./hello: free(): invalid next size (fast): 0x0804a008 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e167cd]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7e19e30]
./hello[0x804845d]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7dc4ebc]
./hello[0x8048391]
======= Memory map: ========
08048000-08049000 r-xp 00000000 fe:00 1661139 /home/user/Desktop/hello
08049000-0804a000 rw-p 00000000 fe:00 1661139 /home/user/Desktop/hello
0804a000-0806b000 rw-p 0804a000 00:00 0 [heap]
b7c00000-b7c21000 rw-p b7c00000 00:00 0
b7c21000-b7d00000 ---p b7c21000 00:00 0
b7dae000-b7daf000 rw-p b7dae000 00:00 0
b7daf000-b7eea000 r-xp 00000000 08:05 456891 /lib/tls/i686/cmov/libc-2.5.so
b7eea000-b7eeb000 r--p 0013b000 08:05 456891 /lib/tls/i686/cmov/libc-2.5.so
b7eeb000-b7eed000 rw-p 0013c000 08:05 456891 /lib/tls/i686/cmov/libc-2.5.so
b7eed000-b7ef0000 rw-p b7eed000 00:00 0
b7ef5000-b7f00000 r-xp 00000000 08:05 423552 /lib/libgcc_s.so.1
b7f00000-b7f01000 rw-p 0000a000 08:05 423552 /lib/libgcc_s.so.1
b7f01000-b7f05000 rw-p b7f01000 00:00 0
b7f05000-b7f1e000 r-xp 00000000 08:05 423511 /lib/ld-2.5.so
b7f1e000-b7f20000 rw-p 00019000 08:05 423511 /lib/ld-2.5.so
bfc09000-bfc1e000 rw-p bfc09000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
Aborted
How much space will actually be there on the heap until something serious happens? Why is it crashing when freed?