What is buffer overflow?

Question

What is buffer overflow?

Asked 8 years, 8 months ago

Viewed 2,408 times

20

Whenever I use the function gets() the compiler returns me the following warning:

Function is Dangerous and should not be used

Translation:

this function is dangerous and should not be used

I hear a lot that she is dangerous and that in her place should be used the function fgets() to avoid such a buffer overflow.

After all, what would be the buffer overflow and what kind of danger would it pose to my software? And what does the function gets() be vulnerable to buffer overflow? Beyond the function gets() there are others that are vulnerable to buffer overflow?

2

The wikipedia article seems to me quite complete. (The Portuguese version also has plenty of content if you prefer)

– hugomg

2016/02/27 at 23:21
1

But I prefer the answer to be here, rsrs.

– Wallace Maxters

2016/02/28 at 15:36

4 answers

18

If you used it once, saw the warning and kept using it, you’re making a mistake.

Buffer overflow

The function gets() receives a variable that functions as a buffer. That is, a variable is created and passed to the function that will put a value on it. When the variable is created it has a specific size. This function has no measure to ensure that the value does not exceed the variable size. The C language itself lacks mechanisms that guarantee the limit of the size of the object contained in the variable.

The bursting of buffer occurs when the value obtained (in device reading) is greater than the size reserved for the variable. So the function writes in an area that’s reserved for something else. Being able to write where it shouldn’t it allows the execution to be tampered with and the code ends up doing something unexpected, opening security gaps.

The "hackers" take advantage of this failure to send data that they know will overwrite memory improperly. Understanding the memory positions that the application will be using in a given situation it can send a code or modify a data that will execute an improper code that is not part of the expected functioning in the application, such as enabling a login even without a correct password.

Solution

The great advantage of the function fgets() and other similar is that one of its parameters says the size of the buffer and the function ensures that it will not exceed this limit, even if the value it is receiving is higher. This way the data cannot interfere in other areas of memory.

Other hazardous functions

Also be careful with (follow the "safe" alternative already existing in the standard):

strcpy() -> strncpy()
strcat() -> strncat()
strlen() -> strnlen()
strcmp() -> strncmp()
strdup() -> strndup()
wcscpy() -> wcsncpy()
wcslen() -> wcsnlen()
sprintf() -> snprintf()

Others that may be bad in some situations: - scanf(), getwd(), realpath() atoi(), memcpy(), strtok(),

Some of these functions have dangerous variations as well. Note that the alternative is not guaranteed safe, they only have a slightly better mechanism, they do not replace the correct use of them and additional checks.

Some are dangerous and prone to bursting buffer only if misused. A gets() really is dangerous no matter what the programmer does.

Obviously I don’t venture to say that this is a complete list.

To strncpy() is not a safe alternative to strcpy(). They have different functionalities.

– pmg

2016/08/26 at 15:05
@pmg for example?

– Maniero

2016/08/26 at 15:07
char s100[100]; strncpy(s100, "", 100); will fill s100 of '\0'; strcpy(s100, ""); will only write a byte. It may also happen that the end result of strncpy() does not include the terminator.

– pmg

2016/08/26 at 15:11
@pmg and what will be the alternative then?

– Maniero

2016/08/26 at 15:12
The alternative is to pass the arrays sizes whenever necessary; and always validate before doing something "dangerous".

– pmg

2016/08/26 at 15:13
@pmg how to pass size on strcpy()?

– Maniero

2016/08/26 at 15:18
You must do the validation before to call strcpy().

– pmg

2016/08/26 at 15:29
It is that you talked about passing and the function does not allow. It was clear now, I will edit to improve this part.

– Maniero

2016/08/26 at 15:30

Show 3 more comments

Browser other questions tagged c function security-guard memory

You are not signed in. Login or sign up in order to post.

by Viniam • **642** points · Answer 1 · 2016-02-27T23:10:52+00:00

What is Buffer Overflow?

Look man Buffer Overflow means "Buffer overflow" is when something exceeds the limit, for example if you have an array that can only receive 10 values and you put in this array 11 values Okay this is buffer overflow because there was a memory overflow(exceeded the size limit).

What kind of danger would he pose to my software?

A very great danger, most exploits are made based on this buffer overflow failure so the attacker by identifying a buffer overflow failure in his software he can inject several malicious code into his software and do damage, circumvent protections of your software if it is a soft paid OR if your software is a soft remote (internet connection) imagine the damage the attacker managing to invade several people through the failure caused in your software.

Why gets() is vulnerable to Buffer Overflow??

The simplest explanation for this question is the following: This function does not limit the number of characters to be read from the standard input (stdin).

I hope I’ve helped.

by ederwander • **6,431** points · Answer 2 · 2016-02-27T23:28:51+00:00

Buffer overflow is when somehow more input data is inserted than expected by your program, this causes a memory overflow compromising the execution of the program, this allows you to overwrite the memory that allows you to use addresses for executing arbitrary codes by the OS.

The fgets function as far as I know has no prevention checks on the length of strings passed to your program, that is to say that if you set a variable of size 200 and a user/hacker try to enter 250 values, your program will be overflowing the buffer of this variable allowing you to overwrite the memory of your OS.

In addition to fgets strcpy tbm can suffer from the same evil, in fact any function that allows data entry without checks.

In some OS’s (Linux) the kernel integrates ASLR techniques (https://en.m.wikipedia.org/wiki/Address_space_layout_randomization), in an attempt to prevent these problems with the compiler.

Here has already happened something practical about this type of exploration, if you are interested read this post:

Security - Syscall inside shellcode does not run

by krystalgamer • **531** points · Answer 3 · 2016-02-27T23:11:23+00:00

Since the buffer is the space that each variable has in a program, this space is limited. For example, each char is usually a byte.

Buffer overflow means writing beyond the space of the variable by changing subsequent memory positions. This has several problems: Undefined behaviour, crashes or even exploits. A hacker can control your program. One of the most notorious cases is in PSP games changing the name of savefiles to very large strings, in addition to the allowed by the game caused crashes in which hackers took control and ran their code.I won’t go into too much depth because I’m a novice and I hope I don’t make mistakes.

The gets function is dangerous because the user chooses how many characters to enter. If the string is only 30 and the user inserts 31 there is buffer overflow, because the string will be stored and will take another adjacent byte that does not belong to string.

Yes there is more. At the moment I only remember the scanf, in normal situations the compiler warns so it is not necessary to know by heart.