1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <assert.h>

// BUFFER OVERFLOW
// BUFFER OVERREAD
//
// Be careful about how many bytes you allocated.
// Make sure to allocate the right amount.
// Make sure not go to past the end of what you allocated.
// Don't forget the asterisk when you malloc.
// char* s = malloc(sizeof(*s) * …);
//                         ▲
//                         Don't forget this!!!

int main(int argc, char* argv[]) {
    char* s = malloc(sizeof(*s) * 3);
    s[0] = 'a';
    s[1] = 'b';
    s[2] = 'c';
    s[3] = 'd';  // BUFFER OVERFLOW - "Invalid write" … "Address … is 0 bytes after a block of size 3 alloc'd"
    s[4] = '\0'; // BUFFER OVERFLOW - "Invalid write" … "Address … is 1 bytes after a block of size 3 alloc'd"

    // We allocate 3 bytes, but we are writing to 5 bytes.

    printf("s == \"%s\"\n", s);
    // BUFFER OVERREAD = "Invalid read" … "Address … is 0 bytes after a block of size 3 alloc'd"
    // BUFFER OVERREAD = "Invalid read" … "Address … is 1 bytes after a block of size 3 alloc'd"

    free(s);
    
    return EXIT_SUCCESS;
}
/*
==46277== Memcheck, a memory error detector
==46277== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==46277== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==46277== Command: ./d
==46277==
==46277== Invalid write of size 1
==46277==    at 0x400617: main (d.c:13)
            ♦ Where we tried to write to memory that is not ours.
==46277==  Address 0x5205043 is 0 bytes after a block of size 3 alloc'd
            ♦ "0 bytes after a block of size 3 alloc'd" means the byte immediately following your buffer.
==46277==    at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==46277==    by 0x4005ED: main (d.c:9)
            ♦ Where the buffer was allocated.
==46277==
==46277== Invalid write of size 1
==46277==    at 0x400622: main (d.c:14)
==46277==  Address 0x5205044 is 1 bytes after a block of size 3 alloc'd
==46277==    at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==46277==    by 0x4005ED: main (d.c:9)
            ♦ Same, but for writing to s[4]
==46277==
==46277== Invalid read of size 1
==46277==    at 0x4E84079: vfprintf (vfprintf.c:1635)
==46277==    by 0x4E8A4E8: printf (printf.c:34)
==46277==    by 0x40063A: main (d.c:18)
==46277==  Address 0x5205043 is 0 bytes after a block of size 3 alloc'd
==46277==    at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==46277==    by 0x4005ED: main (d.c:9)
==46277==
==46277== Invalid read of size 1
==46277==    at 0x4EB1ADD: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1296)
==46277==    by 0x4E84032: vfprintf (vfprintf.c:1635)
==46277==    by 0x4E8A4E8: printf (printf.c:34)
==46277==    by 0x40063A: main (d.c:18)
==46277==  Address 0x5205043 is 0 bytes after a block of size 3 alloc'd
==46277==    at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==46277==    by 0x4005ED: main (d.c:9)
==46277==
==46277== Invalid read of size 1
==46277==    at 0x4C31D98: __GI_mempcpy (vg_replace_strmem.c:1539)
==46277==    by 0x4EB1A04: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1314)
==46277==    by 0x4E84032: vfprintf (vfprintf.c:1635)
==46277==    by 0x4E8A4E8: printf (printf.c:34)
==46277==    by 0x40063A: main (d.c:18)
==46277==  Address 0x5205043 is 0 bytes after a block of size 3 alloc'd
==46277==    at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==46277==    by 0x4005ED: main (d.c:9)
==46277==
s == "abcd"
==46277==
==46277== HEAP SUMMARY:
==46277==     in use at exit: 0 bytes in 0 blocks
==46277==   total heap usage: 1 allocs, 1 frees, 3 bytes allocated
==46277==
==46277== All heap blocks were freed -- no leaks are possible
==46277==
==46277== For lists of detected and suppressed errors, rerun with: -s
==46277== ERROR SUMMARY: 6 errors from 5 contexts (suppressed: 0 from 0)
*/
/* vim: set tabstop=4 shiftwidth=4 fileencoding=utf-8 noexpandtab: */

© Copyright 2023 Alexander J. Quinn         This content is protected and may not be shared, uploaded, or distributed.