Created
May 20, 2012 13:10
-
-
Save madis/2758061 to your computer and use it in GitHub Desktop.
Secure programming homework
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
* Secure programming HW4 | |
* Find all potential vulnerabilities in this C function get_user_input | |
* Compiling: $ make main | |
* Running: $ ./main | |
*/ | |
#include <stdio.h> | |
#include <stdlib.h> // For malloc | |
#include <string.h> // For strlen | |
#include <unistd.h> // For read(...) | |
#include <netinet/in.h> | |
int get_user_input(char *prompt) | |
{ | |
char buf[80]; | |
unsigned char input[100]; | |
int done = 0; | |
int i, val; | |
do { | |
sprintf(buf, "%s> ", prompt); // Display the prompt | |
printf("%s", buf); // After prompt print already entered text | |
gets(input); // Read data from user into input | |
if (strlen(input) > 99) { // Check if input size was over 100 | |
printf("Input too long\n"); // Notify user about it | |
return 0; // And return from the function | |
} | |
printf("Continuing to buf2 section\n"); // Otherwise continue | |
val = atoi(input); // Convert user entered ASCII string to integer | |
if (val > 0) { // If it was a positive number | |
struct in_addr *addr; // Create a pointer to in_addr type struct | |
char *buf2 = malloc(val*sizeof(addr)); // Take memory for as many bytes as user entered string tells | |
printf("val : %i sizeof(addr) : %lu Took memory: %lu sizeof(char): %lu\n", val, sizeof(addr), val*sizeof(addr), sizeof(char)); | |
for (i = 0; i < val; i++) { | |
if (read(0, buf2, sizeof(*addr)) < 0) | |
return 0; | |
} | |
printf("buf2: (%s)\n", buf2); | |
done = 1; | |
} | |
} while (!done); | |
return val; | |
} | |
/** | |
* Vulnerabilities or bugs found: | |
* 1) (line 23) using gets(...) - because gets takes only a buffer but no information about it's size. | |
* input may write past the size | |
* | |
* 2) (line 24) checking input validness of buffer of size 100(99 + \0) for it being > 99. When it's | |
* greater than 99, it has already overwritten some data. Segmentation fault on you way! | |
* | |
* 3) (line 29) using atoi(...) - user input is converted into int, which is signed variable. Also having | |
* size 100 character input to be converted to int is sure way to int overflow. | |
* | |
* 4) (line 30-37) it is unclear to me what that code is trying to achieve since buf2 where data is being | |
* read, will never be exposed outside this function. Still there are bugs, since the memory allocated | |
* is never released | |
* | |
* 5) (line 34) for some reason in_addr is used for determining what seems to be the size of one input char | |
* probably a misunderstanding. After that val times (integer, entered by user) it is read from stdin | |
* to buf2, but for the number of chars read(3rd argument). Buffer will be overwritten each time. To | |
* append to buffer p_read should be used instead. | |
* | |
* 6) Each time (for total of val times) size of addr is being read into the char array. Problem is that | |
* char and in_addr are not the same size. But taking into consideration the previous point where buf | |
* gets overwritten each time, there is not much use in this anyway. | |
* | |
* 7) The leftover data in stdin will be returned to shell after exiting program. If user has typed | |
* rm -rf . or something similar kind, then after the program exits, it will be run. And bad things | |
* can happen. | |
*/ | |
int main() | |
{ | |
int user_input = get_user_input("enter the input size and then the your text of that size"); | |
printf("get_user_input returned : %i\n", user_input); | |
return EXIT_SUCCESS; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment