Why am I not getting a Buffer Overflow?

Question

Everything I read leads me to believe that this should cause a stack buffer overflow, but it does not:

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    char password[8];
    int correctPassword = 0;

    printf("Password \n");
    gets(password);

    if(strcmp(password, "password"))
    {
        printf ("Wrong password entered, root privileges not granted... \n");
    }
    else
    {
        correctPassword = 1;
    }

    if(correctPassword)
    {
        printf ("Root privileges given to the user \n");
    }

    return 0;
}

But here is my output:

in this case, testtesttesttesttest is clearly larger than 8 characters, and, according to the source, it should cause a stack buffer overflow, but it does not. Why is this?

Because it's undefined behavior, so anything could happen. https://stackoverflow.com/documentation/c/364/undefined-behavior#t=201706020423447810219. — Stargateur, Jun 02 '17 at 04:24
How exactly do you expect the stack overflow to manifest? When I run this I get the following output: `Wrong password entered, root privileges not granted... *** stack smashing detected ***: ./Overflow terminated ` — merlin2011, Jun 02 '17 at 04:24
@merlin2011: If you compile it without stack protection it has a better chance of working. — Ry-, Jun 02 '17 at 04:28
password shows testtest and correctPassword is 0, as seen above — Stanley Cup Phil, Jun 02 '17 at 04:35
There is no such thing as 'stack buffer overflow'. There is 'stack overflow', and 'buffer overflow'. Unclear what you're asking. — user207421, Jun 02 '17 at 04:36
Ahh. got it. I needed to add -fno-stack-protector to get the program to not print `*** stack smashing detected ***` and instead fill correctPassword with the overflowed bytes. Thanks @Ryan — Stanley Cup Phil, Jun 02 '17 at 04:37
@EJP Seems a wikipedia article dedicated to [Stack Buffer Overflow](https://en.wikipedia.org/wiki/Stack_buffer_overflow) ;) — bradgonesurfing, Jun 02 '17 at 07:12
@EJP I think the disambiguation here is "stack 'buffer overflow'" vs "heap 'buffer overflow'" ie the buffer that overflows is on the stack rather than the heap. This is different to a stack overflow whereby the stack pointer advances past it's allowed range. — bradgonesurfing, Jun 02 '17 at 07:16
I've edited the OP to link to https://en.wikipedia.org/wiki/Stack_buffer_overflow and replaced "stack overflow" in the text to "stack buffer overflow" to remove any ambiguity. — bradgonesurfing, Jun 02 '17 at 07:26

simo-r · Accepted Answer · 2017-06-02T08:16:47.447

1

Reading more bytes then your buffer can contain won't always lead to a run-time error but it's a very bad and common error (read this article about smashing the stack). As I read from comments you added -fno-stack-protector to get the program to not print * stack smashing detected * but that's not a good idea. You should use scanf(" %8s",password) or something similar to limit the dimension of what you read.

edited Jun 02 '17 at 08:16

answered Jun 02 '17 at 07:16

simo-r

733
10
13

A [Stack Buffer Overflow](https://en.wikipedia.org/wiki/Stack_buffer_overflow) is indeed a thing as apposed to a [heap buffer overflow](https://en.wikipedia.org/wiki/Heap_overflow) – bradgonesurfing Jun 02 '17 at 07:18
@bradgonesurfing I don't get where I'm talking about heap. Can you be more specific? – simo-r Jun 02 '17 at 07:21
1

You criticized the term "Stack buffer overflow" for being an incorrect term claiming it different to a "buffer overflow". There is nothing wrong with the term "stack buffer overflow". It means precisely a buffer that exists on the stack which has been written to but outside it's bounds. – bradgonesurfing Jun 02 '17 at 07:22
1

@bradgonesurfing I'm so sorry, you're right. I just misreading it. – simo-r Jun 02 '17 at 07:30

score 1 · Answer 2 · answered Jun 02 '17 at 23:32

Your code does cause a buffer overflow on the stack, in the sense that you have overwritten the allocated memory for the password buffer. Behold the memory that has been overwritten after you provide the input.

gcc -o Overflow Overflow.c -fno-stack-protector -g

gdb Overflow
(gdb) b 8
Breakpoint 1 at 0x4005cc: file Overflow.c, line 8.
(gdb) b 11
Breakpoint 2 at 0x4005e2: file Overflow.c, line 11.
(gdb) r
Starting program: /home/hq6/Code/SO/C/Overflow

Breakpoint 1, main (argc=1, argv=0x7fffffffde08) at Overflow.c:8
8       printf("Password \n");
(gdb) x/20x password
# Memory before overflow
0x7fffffffdd10: 0xffffde00  0x00007fff  0x00000000  0x00000000
0x7fffffffdd20: 0x00400630  0x00000000  0xf7a2e830  0x00007fff
0x7fffffffdd30: 0x00000000  0x00000000  0xffffde08  0x00007fff
0x7fffffffdd40: 0xf7ffcca0  0x00000001  0x004005b6  0x00000000
0x7fffffffdd50: 0x00000000  0x00000000  0x67fbace7  0x593e0a93
(gdb) c
Continuing.
Password
correctPassword

Breakpoint 2, main (argc=1, argv=0x7fffffffde08) at Overflow.c:11
11      if(strcmp(password, "password"))
(gdb) x/20x password
# Memory after overflow
0x7fffffffdd10: 0x72726f63  0x50746365  0x77737361  0x0064726f
0x7fffffffdd20: 0x00400630  0x00000000  0xf7a2e830  0x00007fff
0x7fffffffdd30: 0x00000000  0x00000000  0xffffde08  0x00007fff
0x7fffffffdd40: 0xf7ffcca0  0x00000001  0x004005b6  0x00000000
0x7fffffffdd50: 0x00000000  0x00000000  0x67fbace7  0x593e0a93

Whether or not a buffer overflow has undesirable side effects is undefined behavior.

Why am I not getting a Buffer Overflow?

2 Answers2