消除缓冲区溢出 [英] Erradicating a Buffer Overflow
问题描述
大家好,这是一个示例程序,我认为可能有一个可能的
缓冲区溢出漏洞:
#include< stdio.h>
int main(int argc,char * argv [])
{
char junk [10]; / *可能很危险* /
char wday [4];
char mon [4];
char time [9];
int day;
int year;
if(argc == 2){
sscanf( argv [1],
"%。3s,%d%。3s%4d%。8s%s",
wday,
& day,
mon,
& year,
time,
junk);
}
返回0;
}
现在,从我所知道的,wday,mon和time都是安全的,因为
扫描的数量有一个非常严格的限制。问题,
似乎是垃圾缓冲区。
您可以猜测,这是为了采用特定格式的日期
字符串并将其读入变量。但是,在日期格式中我处理(mbox /概述文件类型日期),
之后还有一个额外的时间可以是任意长度。一般来说,它并不比
大10,这也是我最初使用该值的原因,但它之前没有点击
我的脑袋会导致问题。然后,当我今天想到它时,我意识到你可以在字符串的时间段之后输入超过10个字符
,然后溢出程序。我的
问题是,处理这个问题的正确方法是什么?我该如何解决这个问题?
我可以将%s更改为%.9s或类似的东西,但那将是丑陋的,因为我最终会得到一个一堆空白和填充在
的开头或结尾。理想情况下,我不希望这样。我怎么能让这个
a更安全的过程?
- Arctic Fidelity
-
使用Opera革命性的电子邮件客户端: http://www.opera .com / mail /
Hello everyone, here is a sample program with what I think has a possible
buffer overflow vulnerability:
#include <stdio.h>
int main(int argc, char *argv[])
{
char junk[10]; /* Possibly dangerous */
char wday[4];
char mon[4];
char time[9];
int day;
int year;
if (argc == 2) {
sscanf(argv[1],
"%.3s, %d %.3s %4d %.8s %s",
wday,
&day,
mon,
&year,
time,
junk);
}
return 0;
}
Now, from what I can tell, wday, mon, and time will all be safe, because
there is a very strict limit to how much will be scanned in. The problem,
seems to be the junk buffer.
As you can guess, this is designed to take a specifically formatted date
string and read it into variables. However, in the date format I am
processing (mbox/overview file type dates), there is an extra bit after
the time that could be an arbitrary length. Generally, it''s not bigger
than 10, which is why I initially used that value, but it did not click in
my head before that this would cause a problem. Then, while I was thinking
about it today, I realized that you could put in more than 10 characters
after the time section of the string, and overflow the program. My
question is, what is the proper way of handling this? How can I remedy it?
I could change %s to %.9s or something of that nature, but that would be
ugly, because I would end up with a bunch of whitespace and padding at the
beginning or the end. Ideally I would not want that. How could I make this
a safer process?
- Arctic Fidelity
--
Using Opera''s revolutionary e-mail client: http://www.opera.com/mail/
推荐答案
" Arctic Fidelity" < SP ** @ sacrificumdeo.net>写道:
"Arctic Fidelity" <sp**@sacrificumdeo.net> wrote:
char junk [10]; / *可能很危险* /
char wday [4];
char mon [4];
char time [9];
int day;
int year;
if(argc == 2){
sscanf(argv [1],
"%。3s,%d%。3s%4d%。8s%s" ,
wday,
& day,
mon,
& year,
time,
junk);
}
然后,当我今天想到它时,我意识到你可以在字符串的时间段之后输入超过10个字符,然后溢出程序。
是的,这是正确的。
我的问题是,处理这个问题的正确方法是什么?我该如何解决这个问题?
我可以将%s更改为%.9s或者那种性质的东西,但那将是丑陋的,因为我最终会得到一堆空白和填充<开始或结束。
char junk[10]; /* Possibly dangerous */
char wday[4];
char mon[4];
char time[9];
int day;
int year;
if (argc == 2) {
sscanf(argv[1],
"%.3s, %d %.3s %4d %.8s %s",
wday,
&day,
mon,
&year,
time,
junk);
} Then, while I was thinking
about it today, I realized that you could put in more than 10 characters
after the time section of the string, and overflow the program.
Yes, that''s correct.
My question is, what is the proper way of handling this? How can I remedy it?
I could change %s to %.9s or something of that nature, but that would be
ugly, because I would end up with a bunch of whitespace and padding at the
beginning or the end.
如果它真的是垃圾,我根本不会去阅读它。如果你想要
来检查它,它可以是任何长度,你可以做几件事。最简单的解决方案可能不是将其复制到另一个
char数组中,而是在参数字符串中设置一个char指针。
Richard
If it really is junk, I would not bother to read it at all. If you want
to inspect it, and it can be of any length, there are several things you
can do. The simplest solution is probably not to copy it into another
char array, but to set a char pointer inside the argument string.
Richard
2005年10月24日星期一11:04:40 -0400,Richard Bos
< rl *@hoekstra-uitgeverij.nl>写道:
On Mon, 24 Oct 2005 11:04:40 -0400, Richard Bos
<rl*@hoekstra-uitgeverij.nl> wrote:
如果它真的是垃圾,我根本不打算阅读它。如果你想要检查它,它可以是任何长度,你可以做几件事。最简单的解决方案可能不是将它复制到另一个char数组中,而是在参数字符串中设置一个char指针。
If it really is junk, I would not bother to read it at all. If you want
to inspect it, and it can be of any length, there are several things you
can do. The simplest solution is probably not to copy it into another
char array, but to set a char pointer inside the argument string.
嗯,好吧,不是我当然明白这一点。它*是*垃圾,但因为它是
垃圾,我只是省略了%s。在sscanf和sscanf的部分不会读取
吗?我怎么才能抛弃那个额外的部分?
- 北极富达
-
使用Opera''革命性的电子邮件客户端: http://www.opera.com/mail/
" Arctic Fidelity" < SP ** @ sacrificumdeo.net>写道:
"Arctic Fidelity" <sp**@sacrificumdeo.net> wrote:
2005年10月24日星期一11:04:40 -0400,Richard Bos
< rl*@hoekstra-uitgeverij.nl>写道:
On Mon, 24 Oct 2005 11:04:40 -0400, Richard Bos
<rl*@hoekstra-uitgeverij.nl> wrote:
如果它真的是垃圾,我根本不打算阅读它。如果你想要检查它,它可以是任何长度,你可以做几件事。最简单的解决方案可能不是将它复制到另一个字符串数组中,而是在参数字符串中设置一个字符指针。
嗯,好吧,不确定我明白这一点。它*是*垃圾,但由于它是垃圾,我只是省略了%s。 sscanf和sscanf中的部分不会读取它吗?
If it really is junk, I would not bother to read it at all. If you want
to inspect it, and it can be of any length, there are several things you
can do. The simplest solution is probably not to copy it into another
char array, but to set a char pointer inside the argument string.
Hmm, alright, not sure I understand that. It *is* junk, but since it is
junk, do I just leave out the "%s" part in sscanf and sscanf will not read
it?
相当。
我怎么才能抛弃那个额外的部分?
Quite.
How would I just dump that extra part?
你的意思是什么,转储?你有一个字符串。你没有从文件中读到
。你不需要抛弃任何东西。
顺便说一句,我注意到你这样做是为了命令行参数。您知道任何单个命令行参数 - 即任何单个成员
of argv [] - 非常不可能包含_entire_命令行,
并且可能甚至不包含任何空格,除非你的b / b
调用你的程序已采取特殊的预防措施来确定它是什么?
Richard
What do you mean, "dump"? You have a single string. You''re not reading
from a file. You don''t need to dump anything.
BTW, I note that you''re doing this to a command line argument. You are
aware that any single command line argument - that is, any single member
of argv[] - is highly unlikely to contain your _entire_ command line,
and will probably not even contain any spaces unless what- or whoever
called your program has taken special precautions to see that it does?
Richard
这篇关于消除缓冲区溢出的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
