Databases
StackOverflow2013
Postsdbo
POConsequences of this buffer overflow?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POConsequences of this buffer overflow?
    primarykey
    data
    text
    <p>So here I believe I have a small buffer overflow problem I found when reviewing someone else's code. It immediately struck me as incorrect, and potentially dangerous, but admittedly I couldn't explain the ACTUAL consequences of this "mistake", if any.</p> <p>I had written up a test app to demonstrate the error, but found (to my dismay) that it seems to run correctly regardless of the overflow. I want to believe that this is just by chance, but wanted some feedback to determine if my thinking were wrong, or if there truly is a problem here that just isn't showing its head in my test app.</p> <p>The problem code (I think it is, anyway):</p> <pre><code>char* buffer = new char[strlen("This string is 27 char long" + 1)]; sprintf(buffer, "This string is 27 char long"); </code></pre> <p>Now, the reason this stood out to me and I want to flag it as a possible buffer overflow is because of the first <code>strlen</code>. Due to pointer arithmetic, the 'incorrect' placement of the <code>+ 1</code> will cause the <code>strlen</code> to return <code>26</code> instead of <code>27</code> (taking the length of "his string is 27 char long"). <code>sprintf</code>, I believe, then prints 27 char into the buffer and has caused a buffer overflow.</p> <p>Is that a correct assessment?</p> <p>I wrote a test app to demonstrate this for the person who's code I was looking at, and found that even in the debugger the string will print correctly. I also attempting putting other variables on the stack and heap before and after this code to see if I could affect neighboring areas of memory, but was still receiving correct output. I realize that my newly allocated heap memory might not be adjacent, which would explain the lack of useful overflow, but I just really wanted to confirm with others' opinions if this is in fact an issue.</p> <p>Since this is a pretty simple "question", it'd be nice if you could support your answer with some sort of reference as well. While I value and welcome your input, I'm not going to accept "yes it is" as the final answer. Thank you kindly in advance.</p> <p><br><br></p> <hr> <p><strong>Update:</strong> Many good answers with a lot of additional insight. Unfortunately, I can't accept them all. Thank you for sharing your knowledge and for being my 'second opinion'. I appreciate the help.</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USKevenK
    1. USKevenK
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POConsequences of this buffer overflow?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POConsequences of this buffer overflow?
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POConsequences of this buffer overflow?
      1. This table or related slice is empty.
      1. VTUpMod
    1. COYou might not get bitten with the code above due to padding/alignment. Could you repeat your experiments with a string that is, say 64 characters long, so the allocation would need to be 65 characters? And allocate two such strings before the `sprintf`, filling them in different orders.
      singulars
      1. POConsequences of this buffer overflow?
      1. USChristopher Creutzig
    2. COThat is pretty nasty code to take a raw string and add +1 to it! I would flunk the code review just on that fact alone.
      singulars
      1. POConsequences of this buffer overflow?
      1. USC Johnson
    3. COAnd this is why we developers use as many well-tested libraries as we can... because we make silly mistakes like this! :-) @Johnson I'm pretty sure the developer meant to add 1 to the length, not the string itself, hence the bug.
      singulars
      1. POConsequences of this buffer overflow?
      1. UScorsiKa
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload