Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Buffer overflow
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Example=== {{further|topic=stack-based overflows|Stack buffer overflow}} In the following example expressed in [[C (programming language)|C]], a program has two variables which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte [[big-endian]] integer, B. <syntaxhighlight lang="c"> char A[8] = ""; unsigned short B = 1979; </syntaxhighlight> Initially, A contains nothing but zero bytes, and B contains the number 1979. {| class="wikitable" style="width:32em; text-align:center;" ! style="white-space:nowrap;" | variable name ! colspan=8 style="background:#ddf;" | A ! colspan=2 style="background:#fdd;" | B |- style="background:#ddf;" ! value | colspan=8 | [<nowiki/>[[null string]]<nowiki/>] | colspan=2 style="background:#fdd;" | 1979 |- style="background:#ddf;" ! hex value | <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> | style="background:#fdd;" | <kbd>07</kbd> || style="background:#fdd;" | <kbd>BB</kbd> |} Now, the program attempts to store the [[null-terminated string]] {{code|"excessive"}} with [[ASCII]] encoding in the A buffer. <syntaxhighlight lang="c"> strcpy(A, "excessive"); </syntaxhighlight> {{code|"excessive"}} is 9 characters long and encodes to 10 bytes including the null terminator, but A can take only 8 bytes. By failing to check the length of the string, it also overwrites the value of B: {| class="wikitable" style="width:32em; text-align:center;" ! style="white-space:nowrap;" | variable name ! colspan=8 style="background:#ddf;" | A ! colspan=2 style="background:#fdd;" | B |- style="background:#ddf;" ! value | <kbd>'e'</kbd> || <kbd>'x'</kbd> || <kbd>'c'</kbd> || <kbd>'e'</kbd> || <kbd>'s'</kbd> || <kbd>'s'</kbd> || <kbd>'i'</kbd> || <kbd>'v'</kbd> | colspan=2 style="background:#dbd;" | <kbd>25856</kbd> |- style="background:#ddf;" ! hex | <kbd>65</kbd> || <kbd>78</kbd> || <kbd>63</kbd> || <kbd>65</kbd> || <kbd>73</kbd> || <kbd>73</kbd> || <kbd>69</kbd> || <kbd>76</kbd> | style="background:#dbd;" | <kbd>65</kbd> || style="background:#dbd;" | <kbd>00</kbd> |} B's value has now been inadvertently replaced by a number formed from part of the character string. In this example "e" followed by a zero byte would become 25856. Writing data past the end of allocated memory can sometimes be detected by the operating system to generate a [[segmentation fault]] error that terminates the process. To prevent the buffer overflow from happening in this example, the call to <kbd>[[strcpy]]</kbd> could be replaced with <kbd>[[strlcpy]]</kbd>, which takes the maximum capacity of A (including a null-termination character) as an additional parameter and ensures that no more than this amount of data is written to A: <syntaxhighlight lang="c"> strlcpy(A, "excessive", sizeof(A)); </syntaxhighlight> When available, the <kbd>[[strlcpy]]</kbd> library function is preferred over <kbd>[[strncpy]]</kbd> which does not null-terminate the destination buffer if the source string's length is greater than or equal to the size of the buffer (the third argument passed to the function). Therefore <kbd>A</kbd> may not be null-terminated and cannot be treated as a valid C-style string.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)