Fog Creek Software
Discussion Board




Buffer Overflow and Bounds Checking

What is buffer overflow? and how can one check that you are not overflowing your buffers?  Also what the heck is bounds checking?  Why are these such security risks?

Herman
Sunday, August 08, 2004

You mean it's 2004 and buffers are still overflowing?  Boy aren't we advanced.

Mr. Troll To You
Sunday, August 08, 2004

You can use java and then you won't be overflowing your buffers.  If you don' t know what these are and you can't use google to figure it out then you shouldn't be programing in languages that allow you to overflow buffers

name withheld out of cowardice
Sunday, August 08, 2004

I don't know how to overflow buffers either. The only way I can imagine is like ...

void foo(const char* a_string)
{
  char buffer[60];
  strcpy(buffer,a_string);
  ...etc ...
}

... but given that buffer overflows are said to be so commonplace, there must be some other way to do it.

Christopher Wells
Sunday, August 08, 2004

A buffer is a big bucket where all your data goes. If it develops a hole then some of your data will pour out and be lost. (Note: you may recover your data from a memory "pool" subsystem, but without that your data will be lost, but do no harm.) Bounds checking involves a quick scan of the "bucket" to see if there are any "holes" where it could "overflow".

Please post your teacher's marks - I'ld like to know how I did.

(On the rather unlikely chance that you're actually not just asking us to do your homework, please post the reason why you didn't spend five minutes with a search engine looking it up yourself. Hell, I don't care if it's homework or not - why be so lazy?)

thank you for using DoMyHomeworkForMe.com
Sunday, August 08, 2004

Is this not a place to strike up a conversation?

Yes or No?
Sunday, August 08, 2004

Christopher wells --

Weren't you the guy who was going off about the usefulness of pointers in the other thread?  If you are so pointer happy then I would think you would know a bit more about how buffer overflows are exploited...

That foo function is a good example... since there is no way for the function to know how long a_string is.  There should be an assert there at the very least.

It could start out with a_string being a fixed length at compile time, but then someone else might need to use foo and call it on user input -- BAM.  Whenever you have user input (over a network, especially) and you use fixed length buffers, you have the possibility of a buffer overflow if you don't check the length of the input.

As I understand it the most common way is for them to write just enough data to get to the return instruction of a  function, and then trash that instruction with a jump to somewhere else in the buffer, where they have written some code to take over your machine.

This is why some processors have a "no execute" flag.  This prevents someone from writing arbitrary instructions into memory and running them.  If that section of memory is for data only then the CPU won't execute the data as instructions.

Roose
Sunday, August 08, 2004

> Weren't you the guy who was going off about the usefulness of pointers in the other thread?

I was.

> If you are so pointer happy then I would think you would know a bit more about how buffer overflows are exploited.

You're right about how they're exploited; I said I don't know how they're caused, other than my one example.

> That foo function is a good example...

Any other examples? Or are all buffer overflows caused by exactly this: using strcpy on a fixed-length buffer (or using strncpy and forgetting to null-terminate the result)?

> Whenever you have user input (over a network, especially) and you use fixed length buffers, you have the possibility of a buffer overflow if you don't check the length of the input

And I suppose that if you use variable-length buffers, you (or your string class) must still check the length of the input (to know how large a buffer you must allocate).

Christopher Wells
Sunday, August 08, 2004

> Why are these such security risks?

Imagine that a function like my foo() above was used by your email reader to process the "from" line of the emails you receive ... written like this with a fixed-length buffer because, to give a fictional example, the internet standard for emails says that the from line MUST be shorter than 60 characters.

So I (a cracker) send you an email, whose "from" line contains:

1) A random name
2) spaces to pad it to 60 characters
3) A number which contains the address of the begining of code described in 4
4) Machine code for whatever code I'd like to run ... dynamic load a system DLL and call a function to delete your hard-drive ... or to send me via return email the contents of your address book ... or anything.

Christopher Wells
Sunday, August 08, 2004

Buffer overflows can occur pretty much anywhere that a buffer is used if the developer isn't careful enough...  Here a couple of less obvious examples borrowed from a good MSDN article on the subject ( http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure04102003.asp )

bool func(char *s1, int len1,
          char *s2, int len2) {

  char buf[128];

  if (1 + len1 + len2 > 128)
      return false;

  if (buf) {
      strncpy(buf,s1,len1);
      strncat(buf,s2,len2);
  }

  return true;
}

bool func(byte *name, DWORD cbBuf) {
  unsigned short cbCalculatedBufSize = cbBuf;
  byte *buf = (byte*)malloc(cbCalculatedBufSize);
  if (buf) {
      memcpy(buf, name, cbBuf);
      // do stuff with buf
      if (buf) free(buf);
      return true;
  }

  return false;
}

r1ch
Sunday, August 08, 2004

This should explain it...
http://julianor.tripod.com/bufo.html

Tom Vu
Sunday, August 08, 2004

Herman, you're writing an expert report on the subject I presume. How much will it be? $4,000? Which of the expert IT research groups do you work for?

People want to know
Sunday, August 08, 2004

Send the link when you release it. We'll tell you where you got it wrong.

People want to know
Sunday, August 08, 2004

Why are you people so rude?  Is this not a forum for discussion of various topics related to software?  I'm not a student and I'm not making a report and I'm not going to search google.  I'm here for a good discussion of the topic at hand.  Apparently some of the nerds on this board can't handle talking in a reasonable manner and are still afraid that someone is going to "steal their homework."  Time to grow up and move out of your mom's basement.

Herman
Monday, August 09, 2004

Herman:

If you look at the way you phrased your post, you will see that it is not the starting point for a discussion but rather a set of questions that are very likely answered within the first ten hits you would get from a google search of "buffer overflows".  Stating that you refuse to search Google indicates that you either don't care about the answer or have some inexplicable hostility towards google.

This board receives a lot of posts that are clear students asking us to do their homework for them.  Most of us think that isn't good for the learning process and is a form of academic dishonesty.

Just to be clear, my parents don't have a basement.

name withheld out of cowardice
Monday, August 09, 2004

The point of not searching google is to start a discussion about it on this forum.  Why are you people so anal retentive.  Why even participate if you don't have anything to contribute except to take out your frustrations or to be rude?

I don't think I'll come back to this site again.  The only reason I visited it was because a friend said that it was a good forum.  The world isn't black and white people.

Herman
Monday, August 09, 2004

Herman: I sympathize since it does seem like software professionals would know the answer to a simple question and may want to help out someone, whether it is for their homework or not.

After all, everyone starts out somewhere and whether you do your homework by typing a searchphrase in a search engine or ask a group of seasoned professionals for their sound and reasoned opinion - you just want an answer.

Try prefacing your posts with "I've already searched Google and now I want your opinions and great war stories..."

Kent
Monday, August 09, 2004

Here is an example of what a buffer overrun is and why it is bad.
(It is an excerpt from "Writing Secure Code" on someone's blog.)

http://blogs.msdn.com/roberthorvick/archive/2004/01/16/59460.aspx

Kent
Monday, August 09, 2004

Whoops - the link was a little too long there - cut and paste what is there and then make sure the extension is "aspx"

Kent
Monday, August 09, 2004

Herman,

Just a coupla morsels of advice: don't take it personally or you will soon have to give up interacting on web forums all-together.  Secondly, threatening to leave is not likely to make anyone feel bad.

Having said that, here's the deal with asking questions in a forum.  We're all pretty jaded by people who seem to take any and all help for granted.  There was nothing wrong with your question for discussion's sake, but as a previous poster suggested, you might want to add some comment  to clarify that you're not just leeching answers to avoid legwork you should be doing yourself.  Another good phrasing of his suggestion is, "I know what has been written on the web in general about the subject, but I'm particularly interested in the insights of the JoS crowd."

That is just my $0. 02.

OffMyMeds
Monday, August 09, 2004

explitive! The second item on Google exactly matches the question.

MilesArcher
Monday, August 09, 2004

> I don't think I'll come back to this site again.  The only reason I visited it was because a friend said that it was a good forum.

Bye.

People want to know
Tuesday, August 10, 2004

*  Recent Topics

*  Fog Creek Home