1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | #include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <assert.h>
// BUFFER OVERFLOW
// BUFFER OVERREAD
//
// Be careful about how many bytes you allocated.
// Make sure to allocate the right amount.
// Make sure not go to past the end of what you allocated.
// Don't forget the asterisk when you malloc.
// char* s = malloc(sizeof(*s) * …);
// ▲
// Don't forget this!!!
int main(int argc, char* argv[]) {
char* s = malloc(sizeof(*s) * 3);
s[0] = 'a';
s[1] = 'b';
s[2] = 'c';
s[3] = 'd'; // BUFFER OVERFLOW - "Invalid write" … "Address … is 0 bytes after a block of size 3 alloc'd"
s[4] = '\0'; // BUFFER OVERFLOW - "Invalid write" … "Address … is 1 bytes after a block of size 3 alloc'd"
// We allocate 3 bytes, but we are writing to 5 bytes.
printf("s == \"%s\"\n", s);
// BUFFER OVERREAD = "Invalid read" … "Address … is 0 bytes after a block of size 3 alloc'd"
// BUFFER OVERREAD = "Invalid read" … "Address … is 1 bytes after a block of size 3 alloc'd"
free(s);
return EXIT_SUCCESS;
}
/*
==46277== Memcheck, a memory error detector
==46277== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==46277== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==46277== Command: ./d
==46277==
==46277== Invalid write of size 1
==46277== at 0x400617: main (d.c:13)
♦ Where we tried to write to memory that is not ours.
==46277== Address 0x5205043 is 0 bytes after a block of size 3 alloc'd
♦ "0 bytes after a block of size 3 alloc'd" means the byte immediately following your buffer.
==46277== at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==46277== by 0x4005ED: main (d.c:9)
♦ Where the buffer was allocated.
==46277==
==46277== Invalid write of size 1
==46277== at 0x400622: main (d.c:14)
==46277== Address 0x5205044 is 1 bytes after a block of size 3 alloc'd
==46277== at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==46277== by 0x4005ED: main (d.c:9)
♦ Same, but for writing to s[4]
==46277==
==46277== Invalid read of size 1
==46277== at 0x4E84079: vfprintf (vfprintf.c:1635)
==46277== by 0x4E8A4E8: printf (printf.c:34)
==46277== by 0x40063A: main (d.c:18)
==46277== Address 0x5205043 is 0 bytes after a block of size 3 alloc'd
==46277== at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==46277== by 0x4005ED: main (d.c:9)
==46277==
==46277== Invalid read of size 1
==46277== at 0x4EB1ADD: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1296)
==46277== by 0x4E84032: vfprintf (vfprintf.c:1635)
==46277== by 0x4E8A4E8: printf (printf.c:34)
==46277== by 0x40063A: main (d.c:18)
==46277== Address 0x5205043 is 0 bytes after a block of size 3 alloc'd
==46277== at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==46277== by 0x4005ED: main (d.c:9)
==46277==
==46277== Invalid read of size 1
==46277== at 0x4C31D98: __GI_mempcpy (vg_replace_strmem.c:1539)
==46277== by 0x4EB1A04: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1314)
==46277== by 0x4E84032: vfprintf (vfprintf.c:1635)
==46277== by 0x4E8A4E8: printf (printf.c:34)
==46277== by 0x40063A: main (d.c:18)
==46277== Address 0x5205043 is 0 bytes after a block of size 3 alloc'd
==46277== at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==46277== by 0x4005ED: main (d.c:9)
==46277==
s == "abcd"
==46277==
==46277== HEAP SUMMARY:
==46277== in use at exit: 0 bytes in 0 blocks
==46277== total heap usage: 1 allocs, 1 frees, 3 bytes allocated
==46277==
==46277== All heap blocks were freed -- no leaks are possible
==46277==
==46277== For lists of detected and suppressed errors, rerun with: -s
==46277== ERROR SUMMARY: 6 errors from 5 contexts (suppressed: 0 from 0)
*/
/* vim: set tabstop=4 shiftwidth=4 fileencoding=utf-8 noexpandtab: */
|
© Copyright 2023 Alexander J. Quinn This content is protected and may not be shared, uploaded, or distributed.