current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 39 down vote favorite
10
 
int func(char *str){
   char buffer[100];
   unsigned short len = strlen(str);

   if(len >= 100){
        return -1;
   }

   strncpy(buffer,str,strlen(str));
   return 0;
}

This code is vulnerable to a buffer overflow attack, and I'm trying to figure out why. I'm thinking it has to do with len being declared a short instead of an int, but I'm not really sure.

Any ideas?

share|improve this question
2  
There are multiple issues with this code. Recall that C strings are null-terminated. –  Dmitri Chubarov yesterday
3  
@DmitriChubarov, not null terminating the string will be a problem only if the string is used after the call to strncpy. In this case, it is not. –  R Sahu yesterday
18  
The problems in this code flow directly from the fact that strlen is calculated, used for the validity check, and then it is absurdly calculated again -- it's a DRY failure. If the second strlen(str) were replaced with len, there would be no possibility of buffer overflow, regardless of the type of len. The answers don't address this point, they just manage to avoid it. –  Jim Balter yesterday
1  
@RSahu What happens to strlen if the string is not NUL-terminated? –  CiaPan 21 hours ago
2  
@CiaPan: Wenn passing a not null-terminated string to it, strlen will show undefined behavior. –  Kaiserludi 20 hours ago

5 Answers 5

up vote 63 down vote accepted

On most compilers the maximum value of an unsigned short is 65535.

Any value above that gets wrapped around, so 65536 becomes 0, and 65600 becomes 65.

This means that long strings of the right length (e.g. 65600) will pass the check, and overflow the buffer.

Use size_t to store the result of strlen(), not unsigned short, and compare len to an expression that directly encodes the size of buffer. So for example:

char buffer[100];
size_t len = strlen(str);
if (len >= sizeof(buffer) / sizeof(buffer[0]))  return -1;
strncpy(buffer, str, len);
share|improve this answer
1  
@PatrickRoberts Theoretically, yes. But you have to keep in mind that 10% of the code is responsible for 90% of the runtime, so you shouldn't let performance go before security. And keep in mind that over time the code changes, which can suddenly mean that the previous check is gone. –  orlp yesterday
1  
To prevent buffer overflow, simply use len as the third argument of strncpy. Using strlen again is dumb in any case. –  Jim Balter yesterday
1  
"strncpy(buf, str, strlen(str)) does exactly the same as strcpy(buf, str)" -- no it doesn't; strncpy doesn't NUL-terminate (and does NUL-pad). –  Jim Balter yesterday
11  
/ sizeof(buffer[0]) -- note that sizeof(char) in C is always 1 (even if a char contains a gazillion bits) so that's superfluous when there's no possibility of using a different data type. Still ... kudos for a complete answer (and thanks for being responsive to comments). –  Jim Balter yesterday
2  
@rr-: char[] and char* are not the same thing. There are many situations in which a char[] will get implicitly converted into a char*. For example, char[] is exactly the same as char* when used as the type for function arguments. However, the conversion does not happen for sizeof(). –  Dietrich Epp yesterday
up vote 13 down vote

The problem is here:

strncpy(buffer,str,strlen(str));
                   ^^^^^^^^^^^

If the string is greater than the length of the target buffer, strncpy will still copy it over. You are basing the number of characters of the string as the number to copy instead of the size of the buffer. The correct way to do this is as follows:

strncpy(buffer,str, sizeof(buff) - 1);
buffer[sizeof(buff) - 1] = '\0';

What this does is limit the amount of data copied to the actual size of the buffer minus one for the null terminating character. Then we set the last byte in the buffer to the null character as an added safeguard. The reason for this is because strncpy will copy upto n bytes, including the terminating null, if strlen(str) < len - 1. If not, then the null is not copied and you have a crash scenario because now your buffer has a unterminated string.

Hope this helps.

EDIT: Upon further examination and input from others, a possible coding for the function follows:

int func (char *str)
  {
    char buffer[100];
    unsigned short size = sizeof(buffer);
    unsigned short len = strlen(str);

    if (len > size - 2) return(-1);
    memcpy(buffer, str, len + 1);
    buffer[size - 1] = '\0';
    return(0);
  }

Since we already know the length of the string, we can use memcpy to copy the string from the location that is referenced by str into the buffer. Note that per the manual page for strlen(3) (on a FreeBSD 9.3 system), the following is stated:

 The strlen() function returns the number of characters that precede the
 terminating NUL character.  The strnlen() function returns either the
 same result as strlen() or maxlen, whichever is smaller.

Which I interpret to be that the length of the string does not include the null. That is why I copy len + 1 bytes to include the null, and the test checks to make sure that the length < size of buffer - 2. Minus one because the buffer starts at position 0, and minus another one to make sure there's room for the null.

share|improve this answer
2  
True, but that is beyond of scope of the question. The code clearly shows the function being passed a char pointer. Outside of the scope of the function, we don't care. –  Daniel Rudy yesterday
    
" the buffer in which str is stored" -- that's not a buffer overflow, which is the issue here. And every answer has that "problem", which is unavoidable given the signature of func ... and every other C function ever written that takes NUL-terminated strings as arguments. Bringing up the possibility of the input not being NUL-terminated is completely clueless. –  Jim Balter yesterday
    
"that is beyond of scope of the question" -- which sadly is beyond the ability of some people to comprehend. –  Jim Balter yesterday
    
"The problem is here" -- you're right, but you're still missing the key issue, which is that the test (len >= 100) was done against one value but the length of the copy was given a different value ... this is a violation of the DRY principle. Simply calling strncpy(buffer, str, len) avoids the possibility of buffer overflow, and does less work than strncpy(buffer,str,sizeof(buffer) - 1) ... although here it is just a slower equivalent to memcpy(buffer, str, len). –  Jim Balter yesterday
    
@JimBalter It is beyond the scope of the question, but I digress. I understand that the values used by the test and what is used in strncpy are two different ones. However, general coding practice says that the copy limit should be sizeof(buffer) - 1 so it doesn't matter what the length of str is on the copy. strncpy will stop copying bytes when it either hits a null or copies n bytes. The next line guarantees that the last byte in the buffer is a null char. The code is safe, I stand by my previous statement. –  Daniel Rudy yesterday
up vote 5 down vote

Even though you're using strncpy, the length of the cutoff is still dependent on the passed string pointer. You have no idea how long that string is (the location of the null terminator relative to the pointer, that is). So calling strlen alone opens you up to vulnerability. If you want to be more secure, use strnlen(str, 100).

Full code corrected would be:

int func(char *str) {
   char buffer[100];
   unsigned short len = strnlen(str, 100); // sizeof buffer

   if (len >= 100) {
     return -1;
   }

   strcpy(buffer, str); // this is safe since null terminator is less than 100th index
   return 0;
}
share|improve this answer
    
@user3386109 Wouldn't strlen also then access past the end of the buffer? –  Patrick Roberts yesterday
    
orlp's answer is right. I don't think this answer adds anything, and could be removed. This answer overlooks the fact that the OP's code is attempting to check the length of the string. A complete answer should explain why that check does not work. –  David Grayson yesterday
1  
@user3386109 what you're pointing out makes orlp's answer just as invalid as mine. I fail to see why strnlen doesn't solve the problem if what orlp is suggesting is supposedly correct anyway. –  Patrick Roberts yesterday
    
"I don't think strnlen solves anything here" -- of course it does; it prevents overflowing buffer. "since str could point to a buffer of 2 bytes, neither of which is NUL." -- that's irrelevant, as it is true of any implementation of func. The question here is about buffer overflow, not UB because the input isn't NUL-terminated. –  Jim Balter yesterday
    
"The second parameter passed to strnlen must be the size of the object that the first parameter points to, or strnlen is worthless" -- this is complete and utter nonsense. If the second argument to strnlen is the length of the input string, then strnlen is equivalent to strlen. How would you even obtain that number, and if you had it, why would you need to call str[n]len? That's not what strnlen is for at all. –  Jim Balter yesterday
up vote 2 down vote

The answer with the wrapping is right. But there is a problem I think was not mentioned if(len >= 100)

Well if Len would be 100 we'd copy 100 elements an we'd not have trailing \0. That clearly would mean any other function depending on proper ended string would walk way beyond the original array.

The string problematic from C is IMHO unsolvable. You'd alway better have some limits before the call, but even that won't help. There is no bounds checking and so buffer overflows always can and unfortunately will happen....

share|improve this answer
    
The string problematic is solvable: just use the appropriate functions. I. e. not strncpy() and friends, but the memory allocating functions like strdup() and friends. They are in the POSIX-2008 standard, so they are fairly portable, though not available on some proprietary systems. –  cmaster yesterday
    
"any other function depending on proper ended string" -- buffer is local to this function and isn't used elsewhere. In a real program we would have to examine how it is used ... sometimes not NUL-terminating is correct (the original use of strncpy was to create UNIX's 14 byte directory entries -- NUL-padded and not NUL-terminated). "The string problematic from C is IMHO unsolvable" -- while C is a gawdawful language that has been surpassed by far better technology, safe code can be written in it if enough discipline is used. –  Jim Balter yesterday
    
Your observation seems to me misguided. if (len >= 100) is the condition for when the check fails, not when it passes, which means there is not a case where exactly 100 bytes with no NUL terminator is copied over, as that length is included in the fail condition. –  Patrick Roberts yesterday
    
Patrick is right, I'm wrong. –  Friedrich yesterday
    
@ cmaster. In this case you are wrong. It is not solvable, because one always can write beyoned the bounds. Yes it's undefiened behaviour but there is not way to prevent it completely. –  Friedrich yesterday
up vote 2 down vote

Beyond the security issues involved with calling strlen more than once, one should generally not use string methods on strings whose length is precisely known [for most string functions, there's only a really narrow case where they should be used--on strings for which a maximum length can be guaranteed, but the precise length isn't known]. Once the length of the input string is known and the length of the output buffer is known, one should figure out how big a region should be copied and then use memcpy() to actually perform the copy in question. Although it's possible that strcpy might outperform memcpy() when copying a string of only 1-3 bytes or so, on many platforms memcpy() is likely to be more than twice as fast when dealing with larger strings.

share|improve this answer
    
Can you please explain the security issues involved with calling strlen more than once? –  Bogdan Alexandru 34 mins ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.