is the buffer overflow still a problem? C++/CLI Security Code

C++/CLI is an extension of C + + that adds support for attributes, events, garbage collection, and generics for all types, including standard C + + classes.

Visual C + + 2005 extends support for controls and applications running on virtual machines with garbage collection using C++/CLI (common Language Infrastructure), while C++/CLI is an extension of the C + + programming language that adds attributes such as properties to all types, including standard C + + classes , events, garbage collection, and generics and other characteristics.

Visual C + + 2005 supports the. NET Framework common Language Runtime Library (CLR), which is the implementation of the garbage collection virtual machine, Microsoft. Visual C + + 2005 pairs. NET programming's C + + syntax support is evolving from Managed Extensions C + + introduced in Visual C + +. NET 2003, Managed Extensions C + + is still supported, but it is not in favor of new syntax. Visual C + + 2005 also adds new features to local programming, including a 64-bit processor architecture support and new library functions that improve security.

In this article, we will focus on the problem of porting existing old systems to a new environment that uses the CLR at a minimum cost, in order to determine whether these programs are still susceptible to buffer overflows that have been plagued by C + + programs for years.

Example 1 will require the user to enter a username and password, except for the user name, the program only accepts "NCC-1701" as a valid password. If the user enters the wrong password, the program exits. (This program is just a vulnerability test for C++/CLI code, not a demonstration of how to handle the password.) ) Example 1:

1. #include <stdlib.h>
2. #include <stdio.h>
3. #include <windows.h>
4. Char buff[1028];
5. struct User {
6. Char *name;
7. size_t Len;
8. int uid;
9.};
BOOL Checkpassword () {
Char password[10];
Puts ("Enter 8 character Password:");
Gets (password);
if (strcmp (password, "NCC-1701") = = 0) {
return true;
16.}
. else {
return false;
19.}
20.}
int main (int argc, char *argv[]) {
struct User *userp = (struct user *) 0XCDCDCDCD;
size_t Usernamelen = 0xdeadbeef;
Userp = (struct user *) malloc (sizeof (user));
Puts ("Enter User name:");
Gets (buff);
if (!checkpassword ()) {
Usernamelen = strlen (buff) + 1;
Userp->len = Usernamelen;
Userp->name = (char *) malloc (Usernamelen);
strcpy (userp->name, Buff); Log failed login attempt
Exit (-1);
33.}
34.}

The program starts with the 21 line main () and uses a pair of puts () and gets () in lines 25 and 26 to prompt for the username, resulting in an uncontrolled string copy from the standard input to the buffer character array (declared on line 4th). Both places in the program have the potential to cause a buffer overflow vulnerability. The Checkpassword () function is called by 27 rows in main () and prompts the user for a password in lines 12 and 13, which also uses a pair of puts ()/gets (). A second call to gets () also causes a buffer overflow of the cipher character array that is defined on the stack.