Buffer Overflow Article Index for
Buffer 		Shopping
Overflow 		Website Links For
Buffer 		 

Information About

Buffer Overflow
  CATEGORIES ABOUT BUFFER OVERFLOW
   
programming bugs
   
security exploits
   
APPAREL
BABY
BEAUTY
BOOKS
CAR TOYS
CELL PHONES
DVD'S
ELECTRONICS
GOURMET FOOD
GROCERIES
HEALTH & PERSONAL
HOME & GARDEN
JEWELRY
MUSIC
MUSIC INSTRUMENTS
OFFICE PRODUCTS
SOFTWARE
SPORTING GOODS
TOOLS & HARDWARE
TOYS
VIDEO GAMES
SHOPPING HOME
MORE SHOPPING...



Buffer overflows may cause a process to Crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many Software Vulnerabilities and form the basis of many Exploits . Sufficient Bounds Checking by either the programmer or the Compiler can prevent buffer overflows.


TECHNICAL DESCRIPTION

A Buffer overflow occurs when Data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer. Most commonly this occurs when copying Strings of Characters from one buffer to another.


Basic example

In the following example, a program has defined two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 3. Characters are one byte wide.

Now, the program attempts to store the character string "excessive" in the A buffer, followed by a zero byte to mark the end of the string. By not checking the length of the string, it overwrites the value of B:

Although the programmer did not intend to change B at all, B's value has now been replaced by a number formed from part of the character string. (In this example, on a Big-endian system that uses ASCII , 'e' followed by a zero byte becomes the number 25856.)

If B was the only other variable data item defined by the program, writing an even longer string that went past the end of B could cause an error such as a Segmentation Fault , terminating the process.


Buffer overflows on the stack

Besides changing values of unrelated variables, buffer overflows can often be used (exploited) by attackers to change the running program into executing arbitrary supplied code. The techniques available to an attacker to seek control over a Process depend on the memory region where the buffer resides on. For example the Stack memory region, where data can be temporarily "pushed" onto the "top" of the stack, and later "popped" to read the value of the variable. Typically, when a Function begins executing, temporary data items (local variables) are pushed, which remain accessible only during the execution of that function. Not only are there stack overflows, but also Heap Overflow s.

In the following example, "X" is data that was on the stack when the program began executing; the program then called a function "Y", which required a small amount of storage of its own; and "Y" then called "Z", which required a large buffer:

If the function Z caused a buffer overflow, it could overwrite data that belonged to function Y or to the main program:

This is particularly serious because on most systems, the stack also holds the Return Address , that is, the location of the part of the program that was executing before the current function was called. When the function ends, the temporary storage is removed from the stack, and execution is transferred back to the return address. If, however, the return address has been overwritten by a buffer overflow, it will now point to some other location. In the case of an accidental buffer overflow as in the first example, this will almost certainly be an invalid location, not containing any program instructions, and the process will crash.


Example source code

The following is C Source Code exhibiting a common programming mistake. Once compiled, the program will generate a buffer overflow error if run with a command-line argument string that is too long, because this argument is used to fill a buffer without checking its length.




    

  •  overflow.c - demonstrates a buffer overflow ---/

    • 





#include 

#include 






  char buffer {Link without Title} ;

  if (argc < 2)

  {

    fprintf(stderr, "USAGE: %s string

", argv {Link without Title} );

    return 1;

  }

  strcpy(buffer, argv {Link without Title} );

  return 0;

}


Strings of 9 or fewer characters will not cause a buffer overflow. Strings of 10 or more characters will cause an overflow: this is always incorrect but may not always result in a program error or Segmentation Fault .

This program could be safely rewritten using Strncpy as follows:



    

  •  better.c - demonstrates one method of fixing the problem ---/

    • 





#include 

#include 






  char buffer {Link without Title} ;

  if (argc < 2)

  {

    fprintf(stderr, "USAGE: %s string

", argv {Link without Title} );

    return 1;

  }

  strncpy(buffer, argv {Link without Title} , sizeof(buffer));

See Also: Heap overflow