Possible buffer overruns?

[Nephi Immortal]

When you place a string between two quote marks in the function’s
parameter, how many characters should be limited? The character
length should be 256.

For example

void Test( char* text ) { …. }

Test( “0123456789” );

If character length is to be 512, 1024, or 4096, string is too big to
fit into the stack.

If anyone plants virus program into memory, it is possible to cause
that buffer overruns unless null terminator is overwritten with new
character value.

The condition is shown *ptr != ‘\0’ is unsafe. More safe condition
should be added. If buffer goes past overwritten null terminator,
buffer overruns can be avoided with limited character garbages.

char A[ 256 ] =
"0123456789";


int main()
{
const int BUFFER_SIZE = 256;

char B [ 256 ];

int index = 0;

do
{
B[ index ] = A[ index ];
++index;
}
while( index < BUFFER_SIZE - 1 && A[ index ] != '\0' ); // safe
// while(A[ index ] != '\0' ); // unsafe


B[ index ] = '\0';

return 0;
}

 

[Nephi Immortal]

(e-mail address removed):

When you place a string between two quote marks in the function’s
parameter, how many characters should be limited?  The character
length should be 256.

For example

void Test( char* text ) { …. }

Test( “0123456789” );

If character length is to be 512, 1024, or 4096, string is too big to
fit into the stack.

If anyone plants virus program into memory, it is possible to cause
that buffer overruns unless null terminator is overwritten with new
character value.

The condition is shown *ptr != ‘\0’ is unsafe.  More safe condition
should be added.  If buffer goes past overwritten null terminator,
buffer overruns can be avoided with limited character garbages.

char A[ 256 ]      "0123456789";

int main()
{
     const int BUFFER_SIZE = 256;

     char B [ 256 ];

     int index = 0;

     do
     {
          B[ index ] = A[ index ];
          ++index;
     }
     while( index < BUFFER_SIZE - 1 && A[ index ] != '\0' ); //safe
//     while(A[ index ] != '\0' ); // unsafe

     B[ index ] = '\0';

     return 0;
}

You are solving an unexisting problem (at least in comp.lang.c++).

#include <string>

std::string a("0123456789");

int main() {
        std::string b = a; // safe

}

Extra bonus: you can have very large strings, no stack overflow with a
std::string.

std::string's data members (including base pointer and size) are
allocated into stack, but string allocates any number of bytes into
heap. String has no big deal, but I talk about traditional C string.
You need to take care to limit the number of characters because it
does not know the length until reaching null terminator.

std::string( "0123456789", 10 ) is both C string and C++ string.
"0123456789" including null terminator in string constructor is C
string and it is always pushed into stack before main function begins
and pop out after main function ends. string constructor ignores null
terminator unless length is included in the function parameter. It
allocates 10 bytes into heap before each character is copied from
stack to heap.

If you show std::string( "0123456789" ) instead of
std::string( "0123456789", 10 ), how can string constructor copy more
than ten characters unless null terminator is overwritten with any
character value in memory by virus program and until finding null
terminator before garbage characters are copied?

 

[Nephi Immortal]

(e-mail address removed):




No. The string literal is placed in a data segment in the compiled
executable and is not copied anywhere from there without the program's
consent.


You are talking nonsense.



The evil virus cannot overwrite the null terminator as in a typical
implementation the string literal is placed in a read-only memory
segment.

Also, you have the virus functionality backwards - the buffer overrun
exploit first attempts to snigger in a too large string which does not
fit into buffer, and gain access via that. In your scenario virus has
already gained access and then trying to enlarge the string by deleting a
zero terminator - this is backwards.

if the code shows below,

int main()
{
const char* A = "0123456789"; // store in stack
const char B[ 10 + 1 ] = "0123456789"; // store in stack
static const char C[] = "0123456789"; // store in data segment

return 0;
}

then do both A and B store 11 characters into stack and C into data
segment?

If you say data segment, then it should look like this below

void foo( "0123456789" ); // store string in data segment

// global scope
const char X[] = "0123456789"; // store string in stack?

struct bar
{
static const char N[];
}

const char bar::N[] = "0123456789"; // store string in data segment

You mentioned that data segment is read only. Can separate data
segment be read/write unless string is non-constant?

 

[Juha Nieminen]

When you place a string between two quote marks in the function???s
parameter, how many characters should be limited? The character
length should be 256.

For example

void Test( char* text ) { ???. }

Test( ???0123456789??? );

If character length is to be 512, 1024, or 4096, string is too big to
fit into the stack.

What a load of BS. When you call 'Test()' above, the only thing that
gets put onto the stack is one pointer.