对简单C代码中的安全工程缺乏了解
[英]Lack of understanding of security engineering in simple C code
问题描述
I am absolutely new to C programming.
我对 C 编程完全陌生。 Currently I am preparing for my new course of studies IT Security.目前我正在为我的新课程 IT 安全做准备。 In a slightly older exam I found a task where I have no approach how to solve it.在稍早的考试中,我发现了一项我无法解决的任务。 The task is in German.任务是德语的。 In principle it is about finding critical errors.原则上,它是关于发现关键错误。
It is not written how the passed parameters look like.没有写传递参数的样子。
1) I have come to the point that you should not use strcpy because it has no bounds checking. 1)我已经说到你不应该使用strcpy因为它没有边界检查。
2) Also char[10] should not be used if you want to store 10 characters (\0). 2) 如果要存储 10 个字符 (\0),也不应使用char[10] 。 It should be char[11].它应该是 char[11]。
Is it possible to read Adresses or write sth due the printf(argv[1]) command?是否可以通过 printf(argv[1]) 命令读取地址或写入某物?
I would like to mention again that you help me here personally and do not help to collect bonus points in the university.我想再次提一下,您亲自在这里帮助我,而不是帮助在大学里收集积分。
#include <stdio.h>
int main(int argc, char *argv[])
{
char code[10];
if(argc != 2) return 1;
printf(argv[1]);
strcpy(code, "9999999999");
for(int i = 0; i < 10; ++i){
code[i] -= argv[1][i] % 10;
}
printf(", %s\n", code);
return 0;
}
1 个解决方案
解决方案1
0 已采纳 2020-05-01 19:51:45
you should not use strcpy() because it has no bounds checking
Nothing in C has bounds checking unless either C中的任何内容都没有边界检查,除非
the compiler writer put it there, or
编译器作者把它放在那里,或者you put it there.
你把它放在那里。
Few compiler writers incorporate bounds checking into their products, because it usually causes the resulting code to be bigger and slower.很少有编译器编写者将边界检查合并到他们的产品中,因为它通常会导致生成的代码更大更慢。 Some tools exist (eg Valgrind , Electric Fence ) to provide bounds-checking-related debugging assistance, but they are not commonly incorporated into delivered software because of limitations they impose.存在一些工具(例如Valgrind 、 Electric Fence )来提供与边界检查相关的调试帮助,但由于它们施加的限制,它们通常不被合并到交付的软件中。
You absolutely should use strcpy() if你绝对应该使用strcpy()如果
you know your source is a NUL-terminated array of characters, aka "a string", and
你知道你的源是一个以 NUL 结尾的字符数组,也就是“一个字符串”,并且you know your destination is large enough to hold all of the source array including the terminating NUL
你知道你的目的地足够大,可以容纳所有的源数组,包括终止的 NUL
because the compiler writer is permitted to use behind-the-scenes tricks unavailable to compiler users to ensure strcpy() has the best possible performance while still providing the behaviour guaranteed by the standard.因为允许编译器编写者使用编译器用户无法使用的幕后技巧,以确保strcpy()具有最佳性能,同时仍提供标准所保证的行为。
char[10] should not be used if you want to store 10 characters (\0)
Correct.正确的。
To store 10 characters and the terminating NUL ( '\0' ), you must have at least 11 characters of space available.要存储 10 个字符和终止 NUL ( '\0' ),您必须至少有 11 个字符的可用空间。
Is it possible to read Adresses or write sth due the printf(argv[1]) command?
In principle: maybe.原则上:也许。
The first argument to printf() is a format string which is interpreted by printf() to determine what further arguments have been provided. printf()的第一个参数是一个格式字符串,由printf()解释以确定进一步的 arguments 提供了什么。 If the format string contains any format specifications (eg "%d" or "%n" ) then printf() will try to retrieve corresponding arguments.如果格式字符串包含任何格式规范(例如"%d"或"%n" ),则printf()将尝试检索相应的 arguments。 If they were not in fact passed to it, then it invokes Undefined Behaviour which is Bad.如果它们实际上没有传递给它,那么它会调用未定义的行为,这是不好的。 An attacker could run your program giving it a command-line argument containing format specifiers, which would lead to such UB.攻击者可以运行你的程序,给它一个包含格式说明符的命令行参数,这将导致这样的 UB。
The right way to print an arbitrary string like this with printf() is printf("%s", argv[1]);使用printf()打印这样的任意字符串的正确方法是printf("%s", argv[1]);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.