Stack Buffer Overflow

How it works ?

A buffer overflow occurs when a program tries to store more data in a buffer (a temporary storage area in memory) than it is designed to hold. This can cause the data to overwrite other parts of memory, potentially allowing an attacker to execute arbitrary code or crash the program.

Here is an example of a buffer overflow vulnerability in C:

char buffer[16];

printf("Enter a string: ");
scanf("%s", buffer);

Here is a diagram showing the buffer in memory:

  address   |   values
            |   +------------------------- buffer ---------------------------+
0xffffd280: |   | 0x01	0x00	0x00	0x00	0x54	0xd3	0xff	0xff |
0xffffd288: |   | 0x5c	0xd3	0xff	0xff	0xad	0x62	0x55	0x56 |
            |   +------------------------------------------------------------+
0xffffd290: |    0xb0	0xd2	0xff	0xff	0x00	0x00	0x00	0x00
0xffffd298: |    0x00	0x00	0x00	0x00	0x46	0xce	0xdd	0xf7
  ...       |    ...

Initially, the buffer occupies a 16-byte area in memory and is empty. When the user enters the string "ABCDEFGHIJKLMNOPQRSTUVWCYZ", it is stored in the buffer, causing a buffer overflow because the string is 26 bytes long, which is more than the size of the buffer which is 16 bytes:

  address   |   values
            |   +------------------------- buffer ---------------------------+
0xffffd280: |   | 0x41	0x42	0x43	0x44	0x45	0x46	0x47	0x48 |
0xffffd288: |   | 0x49	0x50	0x51	0x52	0x53	0x54	0x55	0x56 |
            |   +------------------------------------------------------------+
            |   +------------------------ OVERFLOW --------------------------+
0xffffd290: |   | 0x57	0x58	0x59	0x60	0x61	0x62	0x63	0x64 |
            |   |             +----------------------------------------------+
0xffffd298: |   | 0x65	0x66  |	0x00	0x00	0x46	0xce	0xdd	0xf7
            |   +-------------+
  ...       |    ...

How to prevent ?

There are several ways to prevent buffer overflow vulnerabilities in your programs. Some of the most common methods include the following:

  • Use safe string functions: Instead of using the standard C string functions, which do not perform bounds checking, you can use safe string functions such as strncpy(), strncat(), and snprintf() that allow you to specify the maximum number of characters to copy or concatenate. This ensures that the destination buffer will not be overflowed.

char buffer[16];

// Use strncpy() to copy at most 15 characters from src to buffer
strncpy(buffer, src, 15);

// Use strncat() to concatenate at most 15 characters from src to buffer
strncat(buffer, src, 15);

// Use snprintf() to write at most 15 characters from src to buffer
snprintf(buffer, 15, "%s", src);
  • Check the length of input strings: Before copying input strings into a buffer, you should check their length to ensure that they do not exceed the size of the buffer. If the input string is too long, you can either truncate it or allocate a larger buffer to hold it.

char buffer[16];

// Use scanf() to read at most 50 characters into buffer
scanf("%15s", buffer);
  • Use a modern compiler: Modern compilers, such as GCC and Clang, have features that can help prevent buffer overflows. For example, they can automatically insert runtime checks to ensure that buffer accesses do not exceed the bounds of the allocated memory.

// Use the -fstack-protector flag when compiling with GCC or Clang
gcc -fstack-protector myprogram.c
clang -fstack-protector myprogram.c

Last updated