Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Description

A buffer overflow condition exists when a product attempts to put more data in a buffer than it can hold, or when it attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the "classic" case in which the product copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

The following code asks the user to enter their last name and then attempts to store the value entered in the last_name array.

char last_name[20];
printf ("Enter your last name: ");
scanf ("%s", last_name);

The problem with the code above is that it does not restrict or limit the size of the name entered by the user. If the user enters "Very_very_long_last_name" which is 24 characters long, then a buffer overflow will occur since the array can only hold 20 characters total.

Example Two

The following code attempts to create a local copy of a buffer to perform some manipulations to the data.

void manipulate_string(char * string){
  char buf[24];
  strcpy(buf, string);
  ...
}

However, the programmer does not ensure that the size of the data pointed to by string will fit in the local buffer and copies the data with the potentially dangerous strcpy() function. This may result in a buffer overflow condition if an attacker can influence the contents of the string parameter.

Example Three

The code below calls the gets() function to read in data from the command line.

char buf[24];
  printf("Please enter your name and press <Enter>\n");
  gets(buf);
  ...
}

However, gets() is inherently unsafe, because it copies all input from STDIN to the buffer without checking size. This allows the user to provide a string that is larger than the buffer size, resulting in an overflow condition.

Example Four

In the following example, a server accepts connections from a client and processes the client request. After accepting a client connection, the program will obtain client information using the gethostbyaddr method, copy the hostname of the client that connected to a local variable and output the hostname of the client to a log file.

...

  struct hostent *clienthp;
  char hostname[MAX_LEN];

  // create server socket, bind to server address and listen on socket
  ...

  // accept client connections and process requests
  int count = 0;
  for (count = 0; count < MAX_CONNECTIONS; count++) {


    int clientlen = sizeof(struct sockaddr_in);
    int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr, &clientlen);

    if (clientsocket >= 0) {

      clienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET);
      strcpy(hostname, clienthp->h_name);
      logOutput("Accepted client connection from host ", hostname);

      // process client request
      ...
      close(clientsocket);

    }

  }
  close(serversocket);


...

However, the hostname of the client that connected may be longer than the allocated size for the local hostname variable. This will result in a buffer overflow when copying the client hostname to the local variable using the strcpy method.

Secure Development

Cloud Architecture

Project Consulting

Common Weaknesses

OWASP Top Ten

Contact Us

Office Locations