Skip to content

Buffer overflow

Buffer overflow is a type of vulnerability that occurs when a program writes more data to a buffer than it is designed to hold. This can cause the buffer to overflow and overwrite adjacent memory, potentially allowing an attacker to execute arbitrary code or crash the program.

Here is a simple example of a buffer overflow vulnerability in C:

#include <string.h>
int main(int argc, char *argv[])
{
    char buffer[8];
    strcpy(buffer, argv[1]);
    return 0;
}

This program has a buffer of size 8, but it uses the strcpy function to copy an argument from the command line into the buffer without checking the size of the argument first. If the argument is longer than 8 characters, it will cause the buffer to overflow and overwrite adjacent memory.

To exploit this vulnerability, an attacker could provide a long string as an argument, which would be copied into the buffer and then overflow into adjacent memory. This could allow the attacker to execute arbitrary code or crash the program.

To prevent buffer overflow vulnerabilities, it is important to use functions that check the size of the input and ensure that it does not exceed the size of the buffer. In the example above, the strncpy function could be used instead of strcpy to specify the maximum number of characters to copy. It is also a good idea to use compile-time protections such as stack canaries and address space layout randomization (ASLR).

There are main 2 types of buffer overflow:

  1. Stack Overflow
  2. Heap Buffer Overflow

Stack Overflow

Stack overflow is a type of runtime error that occurs when a program attempts to push more data onto the stack than the stack is able to hold. The stack is a region of memory used to store a program's local variables and function call information.

In C and C++, stack overflow can occur when a function recurses too deeply or when a large array is declared on the stack. It can also occur when a program uses a buffer overflow vulnerability to overflow the stack and overwrite adjacent memory.

Here is an example of a stack overflow in C:

#include <stdio.h>

void recurse(int depth)
{
    char buffer[1024];  // declare a large array on the stack
    recurse(depth + 1); // recurse indefinitely
}

int main(int argc, char *argv[])
{
    recurse(0);
    return 0;
}

In this example, the recurse function calls itself indefinitely, causing the stack to grow larger and larger with each recursive call. Eventually, the stack will overflow, and the program will crash.

To prevent stack overflow, it is important to avoid recursing too deeply and to use heap-allocated memory instead of stack-allocated memory for large data structures. It is also a good idea to use compile-time protections such as stack canaries and address space layout randomization (ASLR).

Heap overflow is a type of vulnerability that occurs when a program writes more data to the heap than it is designed to hold. The heap is a region of memory that is used for dynamic memory allocation, which means that it is used to allocate memory at runtime for data structures that are created and destroyed during the execution of a program.

Heap overflows can occur when a program uses a buffer overflow vulnerability to overflow a heap-allocated buffer and overwrite adjacent memory. They can also occur when a program frees a block of memory and then reuses it without properly initializing it, allowing an attacker to write arbitrary data to the freed memory.

Here is an example of a heap overflow in C:

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
char *buffer = malloc(8);  // allocate a buffer on the heap
strcpy(buffer, argv[1]);   // copy an argument from the command line into the buffer
free(buffer);              // free the buffer
strcpy(buffer, argv[2]);   // reuse the freed buffer without initializing it
return 0;
}

In this example, the program uses the malloc function to allocate a buffer on the heap and then uses the strcpy function to copy an argument from the command line into the buffer. It then frees the buffer using the free function but then reuses the freed buffer without initializing it. If the second argument is longer than 8 characters, it will cause the buffer to overflow and overwrite adjacent memory on the heap.

To prevent heap overflow vulnerabilities, it is important to use functions that check the size of the input and ensure that it does not exceed the size of the buffer. In the example above, the strncpy function could be used instead of strcpy to specify the maximum number of characters to copy. It is also a good idea to use heap allocators that include additional security features such as heap metadata randomization and use-after-free detection.

Potentially vulnerable functions in C

  • printf()
  • sprintf()
  • strcat()
  • strcpy()
  • gets()