Segmentation fault even when buffer is large enough?
Question
I'm trying to test a buffer overflows but the program seems to crash even when the buffer is large enough which I cant see why
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int bowfunc(char *string) {
char buffer[1024];
strcpy(buffer, string);
return 1;
}
int main(int argc, char *argv[]) {
bowfunc(argv[1]);
printf("Done.\n");
return 1;
}
with bowfun() correctly adjust rsp by subtracting 0x410 in gdb disassembly. Build as gcc -o exec1 -fno-stack-protector -z execstack -g exec1.c run as ./exec1 $(python3 -c "print('\\xaa' * 600)") cause a crash, actual crash seems to happen between (500 and 600 bytes). Which I cant see, why gdb return this error
0x000055555555519e in bowfunc (string=0x7fffffffdcd4 'ª' <repeats 100 times>...) at exec1.c:10
also the maximum command length and arguments size seems to be fine with xargs --show-limits </dev/null giving:
Your environment variables take up 4531 bytes
POSIX upper limit on argument length (this system): 2090573
POSIX smallest allowable upper limit on argument length (all systems): 4096
Maximum length of command we could actually use: 2086042
Size of command buffer we are actually using: 131072
Maximum parallelism (--max-procs must be no greater): 2147483647
1 answers
solution1
2 ACCPTED 2021-07-28 17:14:46
Your Python command is printing 1201 bytes.
$ python3 -c "print('\xaa' * 600)" | wc -c
1201
'\\xaa' is printed as 2 bytes using UTF-8 encoding, and it ends with a newline. The newline is removed by $(...) , but argv[1] is still 1200 bytes.
Add
printf("%d\n", strlen(argv[1]));
to the program to confirm this.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.