------- Comment #10 from pinskia at gcc dot gnu dot org 2006-07-11 05:25
-------
(In reply to comment #8)
> Actually it won't come from 1000 lines before. It'll go like this:
>
> int vuln(char *s, int len) {
> char a[10];
> char b[20];
>
> a[0] = 0;
> strcpy(a, "str: ");
> strcat(a, s);
> return strlen(a);
> }
That is just a simple (obvious) example, you seem to not understand how real
code looks like. You might instead have:
int f(int a, int b)
{
int f[10];
.....
f[a] = 1;
....
return f[b];
}
Where you know that a should be between 0 and 9 but comming into the function
it is not, so the value of a is wrong and you have to track down why that is
which can be a million lines in execution before calling of f. This is a stack
smashing bug also, yes a less common one than the obvious ones which you showed
but it is still going to happen. The obvious ones are easy to find in an audit
of the code, unlike this one. You can add asserts to the function but that
will produce as much useful info as the info you want from the stack smasher.
It is only useful for starting to debug the program, even then you get the
information just as quick from the debugger.
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28328
