Heap Overflow attack, what can go wrong with this code
Question
char *test(char *arg1, char* arg2){
size_t length=strlen(arg1);
char *c= malloc(length+4);
for(int i=length;i>0;i--)
*(c+i+4)=*(arg1)^(arg2[i%8]);
*(size_t *) (c) =length;
return c;
}
Does this code suffer from heap overflow attack ?
1 answers
solution1
1 ACCPTED 2017-05-10 14:00:26
Lots of things can go wrong there. Most importantly, the expression *(c+i+4)=*(arg1)^(arg2[i%8]) is going to overflow your allocated buffer on the first iteration of the loop.
Imagine that length==1 . So you'll allocate 5 bytes for c . The first time through the loop, i is equal to 1. So the expression c+i+4 resolves to c+5 , which is one byte beyond the memory you allocated.
Other things that can go wrong:
-
arg1is an invalid pointer. Your program crashes. - The string referenced by
arg1is really long, and you can't allocate enough memory for it.mallocfails and your program crashes. - Memory addressed by
arg2is smaller than 8 bytes, and therefore your code is reading beyond the allocated memory. This might not crash, but the result will be ... undefined. - You assume that
size_tis 4 bytes. Yourmallocshould bemalloc(length+sizeof(size_t)).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
What is wrong with my Heap Sort code in Java?
What is the difference among heap spraying, heap overflow, heap overrun?
What's wrong with my In Place Heap Sorting code
What is wrong with my C++ heap implementation?
ERlang HEAP overflow
malloc() with heap overflow explanation
Heap overflow in Haskell
Overcoming heap overflow issues
Not understanding heap overflow article
How to cause stack overflow and heap overflow in python
Related Tags