Re: Unchecked Buffer
From: Hector Santos (nospam@nospam.com)
Date: 01/27/03
- Next message: Betty: "Re: certificate is expire"
- Previous message: Alex Homer: "Re: TCP/IP Filtering in Windows 2000?"
- In reply to: anton: "Unchecked Buffer"
- Next in thread: Ken Wickes [MS]: "Re: Unchecked Buffer"
- Reply: Ken Wickes [MS]: "Re: Unchecked Buffer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Hector Santos" <nospam@nospam.com> Date: Mon, 27 Jan 2003 15:59:09 -0500
"anton" <antons1@orc.ru> wrote in message
news:00a901c2c631$fab3a6d0$d5f82ecf@TK2MSFTNGXA12...
> What is a Unchecked Buffer. Could somebody write some
> function in c and code calling it, which shows this
> problem?
> thanx
If you are referring to the "Buffer Overflow" inherently common in many
C/C++ applications,
it is basically this:
C "strings" tradionally called "asciiz strings" or "null terminated strings"
is an array of characters in memory that ends with the first NULL (0) byte.
So, for example, if you have reserve space for your name in a C string,
like so:
char YourName[80],
it means that you have 79 characters for your name leaving 1 byte for the
NULL byte.
Now, depending on your application, there are many issues with this:
If you are using this in a "fixed" or "static" manner, meaning it is
something that is never changed, like so:
char YourName[80];
strcpy(YourName,"Anton");
then you will NEVER have a Buffer OverFlow problem.
On the other hand, you have have this:
char YourFirstName[20];
strcpy(YourFirstName,"111111111111111111111111111111111111111111111");
or if you have an application which gets the YourName from external sources,
like so:
char YourName[80];
printf("What is your name? ");
scanf"%s",&YourName);
it is possible to have "Buffer OverFlow" problems due to unchecked buffers.
Go ahead and try any of the above for overflow conditions. For the scanf()
input example, enter a name that is very long (with no spaces). You will
see your program abort with a GPF (General Protection Fault).
Why?
Because poorly written problems do not check to make sure that no MORE than
79 characters are written to YourName.
If more than 79 characters are written than you have a "Overflow".
Overflow comes from the fact that the extra characters can overflow to
another variable. This is called Memory Clobbering. Here is an example of
clobbered memory:
char YourName[80];
char Address[80];
If more than 80 characters are written to YourName, then the extra data will
appear in the Address string buffer.
If instead, there was a computer logic after YourName, then you clobber
computer code when makes the program abort.
If instead the variables were used in a "function" and the overflow kills
what is called the "function stack" then you have this hidious situation
where Windows allows a VIRUS can inject itself in the stack stack and the
next execution begins at the stack ip pointer (I still don't know why
Windows allows this)
So it is important that when data is written to a C string or any data
structure for that matter, that you do not exceed the size of that variable.
So why does this happen so much?
Well, just poor programming, but more importantly "poor engineering."
Take for example the above situation where we have a variable that is
designed to how Your Name?
The question a programmer may ask himself during design is;
"how much space should I reserve for a Human Name?"
In this case, we set it at 80. I would think 80 is a practical value,
right? Why not 50? why not 256? Why not 1024? Do you know anyone in the
world with a name longer than 79 characters?
So you would think that 80 or even if you set it to 1024, it would a safe
size and the ethical programmer who may be ignorant of "bad people" will
believe someone will never try to enter more than the expected size.
Well, as we all know, the reality says otherwise.
The point is that this is what you see out there with many of the
applications out there and HACKERS use this basic fundamental flaw in many
"practical designs" of applications to find parts of an application they can
"Overflow" by sending it an oversize data buffers hoping that they find a
situation where the stack is clobbered thus causing a "Stack Overflow."
So regardless of whatever the size, you still need to make sure that it is
never exceeded. Alot of lazy programmers will bypass the checking because
it is, well, it can be tidiest and redundant coding, and alot of
programmers, which is what you see today, only fix a problem as they appear.
In addition, there are timeline management decisions to be made when you
design software. To make it "perfect" or rather do everything it takes to
write good code, test every part of it using a "BlackBox" concept, etc,
this takes extra engineering time and could delay a release of a product.
So many times, "buggy" software is released just to meet deadlines.
My personal issue with Microsoft is that they BILLIONS of dollars to do
product testing. They already own the market place so it shouldn't be an
issue of "hurrying buggy software" into the market place.
- Next message: Betty: "Re: certificate is expire"
- Previous message: Alex Homer: "Re: TCP/IP Filtering in Windows 2000?"
- In reply to: anton: "Unchecked Buffer"
- Next in thread: Ken Wickes [MS]: "Re: Unchecked Buffer"
- Reply: Ken Wickes [MS]: "Re: Unchecked Buffer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
