Please explain why this code is vulnerable to buffer overflow

int func(char* str)
{
   char buffer[100];
   unsigned short len = strlen(str);

   if(len >= 100)
   {
        return (-1);
   }

   strncpy(buffer,str,strlen(str));
   return 0;
}

It's a school assignment. They want us to write why this code is weak against buffer overflows But I can't figure it out no matter how much I think about it. Do I have to set it to int instead of short?

security c buffer-overflow

2022-09-22 22:18

1 Answers

In most compilers, the maximum value for unsinged short is 65535. Therefore, a buffer overflow occurs when a string over 65535 length is entered from this code. Also, the buffer size is 100 and the string over 100 in length should not come in.

When saving the return value of strlen(), you must use size_t instead of unsigned short You must memcpy when this length is greater than or equal to the buffer length.

char buffer[100];
size_t len = strlen(str);
if (len >= sizeof(buffer) / sizeof(buffer[0]))  return -1;
memcpy(buffer, str, len + 1);

2022-09-22 22:18

If you have any answers or tips

Popular Tags

python x 4647

android x 1593

java x 1494

javascript x 1427

c x 927

c++ x 878

ruby-on-rails x 696

php x 692

python3 x 685

html x 656