On Tue, 27 Jul 1999, venu wrote: > >The more I think about it, the following is better. > >No more buffer overflow problem. > ~~~~~~~~~~~~~~~~ > > have heard lots about it in security bulletins ... > what is a buffer over flow ? and how does it appear in code ?
In C, you (almost) always have to declare beforehand how big your data structures are going to be. So, let's say you're writing a program, and you decide a char array will have 10 elements to hold user input. Looks something like this using a box diagram. [ ][ ][ ][ ][ ][ ][ ][ ][ ][ ] So, what happens if someone enters "abcdefghijklmno" and you don't check the length? [a][b][c][d][e][f][g][h][i][j] k l m n o C doesn't care that there isn't room in your array for k, l, m, n, or o in your array, it just happily overwrites whatever was there. This is the buffer overrun. If that part that was overwritten was part of your program that was supposed to be executed later on, whatever "klmno" means as machine code will be executed instead! "klmno" probably would just make the program crash, but by overrunning the buffer with the right characters a cracker can convince the program to do anything [s]he wants! If the overwritten data was the return address for a call, the program will jump to some random (or not-so-random) spot in memory, which again lets the cracker do just about anything if planned properly. If the overwritten memory was the string used for a system() call, the cracker can have the program run any shell command with the privlages of that process (suid copies of sh anyone?).