Hi all.
I have a program like this:
Code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int check(char *password){
int auth_flag = 0;
char passw_buffer[16];
strcpy(passw_buffer,password);
if(strcmp(passw_buffer,"brullig") == 0)
auth_flag = 1;
if(strcmp(passw_buffer,"outgrabe") == 0)
auth_flag = 1;
return auth_flag;
}
int main(int argc, char *argv[]){
if(check(argv[1]))
printf("Access granted\n");
else
printf("Access denied\n");
return 0;
}
When I enter a big string in command-line, I get this:
Code:
spitz@nerdbox:~/Documents/BP> ./auth_overflow AAAAAAAAAAAAAAAAAAAAA
Access granted
I understand it, because my stack looks like this:
[Bottom of stack/High Memory Adresses] auth_flag | buffer [top of stack / lower memory adresses].
But then I switch auth_flag en buffer declaration like this:
Code:
int check(char *password){
char passw_buffer[16];
int auth_flag = 0;
strcpy(passw_buffer,password);
if(strcmp(passw_buffer,"brullig") == 0)
auth_flag = 1;
if(strcmp(passw_buffer,"outgrabe") == 0)
auth_flag = 1;
return auth_flag;
}
int main(int argc, char *argv[]){
if(check(argv[1]))
printf("Access granted\n");
else
printf("Access denied\n");
return 0;
}
When I run it again with a long string I get this:
Code:
spitz@nerdbox:~/Documents/BP> ./auth_overflow2 AAAAAAAAAAAAAAAAAAAAA
Access granted
How is it possible that the AAAA has overwritten the auth_flag int?
I tought the stack in the second example would look like this:
[Bottom Of Stack/High Memory Addresses] buffer | auth_flag [Top of Stack/ Low memory adresses]
Can anyone explain me how it's possible that auth_flag got overwritten?
Thanks in advance!
PS: I'm using OpenSUSE 11.1, gcc version 4.3