madis/bad_input.c

## bad_input.c
/**
 * Secure programming HW4
 * Find all potential vulnerabilities in this C function get_user_input
 * Compiling: $ make main
 * Running: $ ./main
 */

#include <stdio.h>
#include <stdlib.h> // For malloc
#include <string.h> // For strlen
#include <unistd.h> // For read(...)
#include <netinet/in.h>

int get_user_input(char *prompt)
{
	char buf[80];
  unsigned char input[100];
	int done = 0;
	int i, val;
	do {
		sprintf(buf, "%s> ", prompt); // Display the prompt
		printf("%s", buf); 						// After prompt print already entered text
		gets(input); 									// Read data from user into input
		if (strlen(input) > 99) { 		// Check if input size was over 100
			printf("Input too long\n"); // Notify user about it
			return 0;										// And return from the function
		}
		printf("Continuing to buf2 section\n");	// Otherwise continue
		val = atoi(input); 												// Convert user entered ASCII string to integer
		if (val > 0) { 														// If it was a positive number
			struct in_addr *addr; 									// Create a pointer to in_addr type struct
			char *buf2 = malloc(val*sizeof(addr)); // Take memory for as many bytes as user entered string tells
			printf("val : %i sizeof(addr) : %lu Took memory: %lu sizeof(char): %lu\n", val, sizeof(addr), val*sizeof(addr), sizeof(char));
			for (i = 0; i < val; i++) {
				if (read(0, buf2, sizeof(*addr)) < 0)
					return 0;
			}
			printf("buf2: (%s)\n", buf2);
			done = 1;
		}
	} while (!done);
	return val;
}

/**
 * Vulnerabilities or bugs found:
 * 1) (line 23) using gets(...) - because gets takes only a buffer but no information about it's size.
 * 		input may write past the size
 *
 * 2) (line 24) checking input validness of buffer of size 100(99 + \0) for it being > 99. When it's
 *		greater than 99, it has already overwritten some data. Segmentation fault on you way!
 *
 * 3) (line 29) using atoi(...) - user input is converted into int, which is signed variable. Also having
 *		size 100 character input to be converted to int is sure way to int overflow.
 *
 * 4) (line 30-37) it is unclear to me what that code is trying to achieve since buf2 where data is being
 * 		read, will never be exposed outside this function. Still there are bugs, since the memory allocated
 *		is never released
 *
 * 5) (line 34) for some reason in_addr is used for determining what seems to be the size of one input char
 * 		probably a misunderstanding. After that val times (integer, entered by user) it is read from stdin
 * 		to buf2, but for the number of chars read(3rd argument). Buffer will be overwritten each time. To
 * 		append to buffer p_read should be used instead.
 *
 * 6) Each time (for total of val times) size of addr is being read into the char array. Problem is that
 * 		char and in_addr are not the same size. But taking into consideration the previous point where buf
 * 		gets overwritten each time, there is not much use in this anyway.
 *
 * 7) The leftover data in stdin will be returned to shell after exiting program. If user has typed
 * 		rm -rf . or something similar kind, then after the program exits, it will be run. And bad things
 * 		can happen.
 */

int main()
{
	int user_input = get_user_input("enter the input size and then the your text of that size");
	printf("get_user_input returned : %i\n", user_input);
	return EXIT_SUCCESS;
}
	/**
	* Secure programming HW4
	* Find all potential vulnerabilities in this C function get_user_input
	* Compiling: $ make main
	* Running: $ ./main
	*/

	#include <stdio.h>
	#include <stdlib.h> // For malloc
	#include <string.h> // For strlen
	#include <unistd.h> // For read(...)
	#include <netinet/in.h>

	int get_user_input(char *prompt)
	{
	char buf[80];
	unsigned char input[100];
	int done = 0;
	int i, val;
	do {
	sprintf(buf, "%s> ", prompt); // Display the prompt
	printf("%s", buf); // After prompt print already entered text
	gets(input); // Read data from user into input
	if (strlen(input) > 99) { // Check if input size was over 100
	printf("Input too long\n"); // Notify user about it
	return 0; // And return from the function
	}
	printf("Continuing to buf2 section\n"); // Otherwise continue
	val = atoi(input); // Convert user entered ASCII string to integer
	if (val > 0) { // If it was a positive number
	struct in_addr *addr; // Create a pointer to in_addr type struct
	char buf2 = malloc(valsizeof(addr)); // Take memory for as many bytes as user entered string tells
	printf("val : %i sizeof(addr) : %lu Took memory: %lu sizeof(char): %lu\n", val, sizeof(addr), val*sizeof(addr), sizeof(char));
	for (i = 0; i < val; i++) {
	if (read(0, buf2, sizeof(*addr)) < 0)
	return 0;
	}
	printf("buf2: (%s)\n", buf2);
	done = 1;
	}
	} while (!done);
	return val;
	}

	/**
	* Vulnerabilities or bugs found:
	* 1) (line 23) using gets(...) - because gets takes only a buffer but no information about it's size.
	* input may write past the size
	*
	* 2) (line 24) checking input validness of buffer of size 100(99 + \0) for it being > 99. When it's
	* greater than 99, it has already overwritten some data. Segmentation fault on you way!
	*
	* 3) (line 29) using atoi(...) - user input is converted into int, which is signed variable. Also having
	* size 100 character input to be converted to int is sure way to int overflow.
	*
	* 4) (line 30-37) it is unclear to me what that code is trying to achieve since buf2 where data is being
	* read, will never be exposed outside this function. Still there are bugs, since the memory allocated
	* is never released
	*
	* 5) (line 34) for some reason in_addr is used for determining what seems to be the size of one input char
	* probably a misunderstanding. After that val times (integer, entered by user) it is read from stdin
	* to buf2, but for the number of chars read(3rd argument). Buffer will be overwritten each time. To
	* append to buffer p_read should be used instead.
	*
	* 6) Each time (for total of val times) size of addr is being read into the char array. Problem is that
	* char and in_addr are not the same size. But taking into consideration the previous point where buf
	* gets overwritten each time, there is not much use in this anyway.
	*
	* 7) The leftover data in stdin will be returned to shell after exiting program. If user has typed
	* rm -rf . or something similar kind, then after the program exits, it will be run. And bad things
	* can happen.
	*/

	int main()
	{
	int user_input = get_user_input("enter the input size and then the your text of that size");
	printf("get_user_input returned : %i\n", user_input);
	return EXIT_SUCCESS;
	}