Hi all.
I have a program like this:
When I enter a big string in command-line, I get this:Code:#include <stdio.h> #include <stdlib.h> #include <string.h> int check(char *password){ int auth_flag = 0; char passw_buffer[16]; strcpy(passw_buffer,password); if(strcmp(passw_buffer,"brullig") == 0) auth_flag = 1; if(strcmp(passw_buffer,"outgrabe") == 0) auth_flag = 1; return auth_flag; } int main(int argc, char *argv[]){ if(check(argv[1])) printf("Access granted\n"); else printf("Access denied\n"); return 0; }
I understand it, because my stack looks like this:Code:spitz@nerdbox:~/Documents/BP> ./auth_overflow AAAAAAAAAAAAAAAAAAAAA Access granted
[Bottom of stack/High Memory Adresses] auth_flag | buffer [top of stack / lower memory adresses].
But then I switch auth_flag en buffer declaration like this:
When I run it again with a long string I get this:Code:int check(char *password){ char passw_buffer[16]; int auth_flag = 0; strcpy(passw_buffer,password); if(strcmp(passw_buffer,"brullig") == 0) auth_flag = 1; if(strcmp(passw_buffer,"outgrabe") == 0) auth_flag = 1; return auth_flag; } int main(int argc, char *argv[]){ if(check(argv[1])) printf("Access granted\n"); else printf("Access denied\n"); return 0; }
How is it possible that the AAAA has overwritten the auth_flag int?Code:spitz@nerdbox:~/Documents/BP> ./auth_overflow2 AAAAAAAAAAAAAAAAAAAAA Access granted
I tought the stack in the second example would look like this:
[Bottom Of Stack/High Memory Addresses] buffer | auth_flag [Top of Stack/ Low memory adresses]
Can anyone explain me how it's possible that auth_flag got overwritten?
Thanks in advance!
PS: I'm using OpenSUSE 11.1, gcc version 4.3
