標籤:style blog io ar color os sp for on
緩衝區溢位:
1 Example1.1: 2 ... 3 char buf[BUFSIZE]; 4 gets(buf);//user control 5 ... 6 7 Example1.2(c++): 8 ... 9 char buf[BUFSIZE]; 10 cin >> (buf);//user control11 ...12 13 Example2:14 ...15 char buf[64], in[MAX_SIZE];16 printf("Enter buffer contents:\n");17 read(0, in, MAX_SIZE-1);18 printf("Bytes to copy:\n");19 scanf("%d", &bytes);//user control20 memcpy(buf, in, bytes);21 ...22 char *lccopy(const char *str) {23 char buf[BUFSIZE];24 char *p;25 26 strcpy(buf, str);27 for (p = buf; *p; p++) {28 if (isupper(*p)) {29 *p = tolower(*p);30 }31 } 32 return strdup(buf);33 }34 35 Example4:36 if (!(png_ptr->mode & PNG_HAVE_PLTE)) {37 /* Should be an error, but we can cope with it */38 png_warning(png_ptr, "Missing PLTE before tRNS");39 }40 else if (length > (png_uint_32)png_ptr->num_palette) {41 png_warning(png_ptr, "Incorrect tRNS chunk length");42 png_crc_finish(png_ptr, length);43 return;44 }45 ...46 png_crc_read(png_ptr, readbuf, (png_size_t)length);47 48 Example5:49 void getUserInfo(char *username, struct _USER_INFO_2 info){50 WCHAR unicodeUser[UNLEN+1];51 MultiByteToWideChar(CP_ACP, 0, username, -1,52 unicodeUser, sizeof(unicodeUser));53 NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);54 }
格式化字串:
1 Example1: 2 int main(int argc, char **argv){ 3 char buf[128]; 4 ... 5 snprintf(buf,128,argv[1]); 6 } 7 8 Example2: 9 printf("%d %d %1$d %1$d\n", 5, 9);10 11 Example3:12 ...13 syslog(LOG_ERR, cmdBuf);14 ...15 16 Example4:17 #include <stdio.h>18 19 void printWrapper(char *string) { 20 printf(string);21 }22 23 int main(int argc, char **argv) { 24 char buf[5012]; 25 memcpy(buf, argv[1], 5012); 26 printWrapper(argv[1]); 27 return (0);28 }
整數溢出:
Example1:short int bytesRec = 0;char buf[SOMEBIGNUM];while(bytesRec < MAXGET) { bytesRec += getFromInput(buf+bytesRec);}Example2: nresp = packet_get_int(); if (nresp > 0) { response = xmalloc(nresp*sizeof(char*)); for (i = 0; i < nresp; i++) response[i] = packet_get_string(NULL); }Example3: char* processNext(char* strm) { char buf[512]; short len = *(short*) strm; strm += sizeof(len); if (len <= 512) { memcpy(buf, strm, len); process(buf); return strm + len; } else { return -1; } }Example4:[email protected] ~/labs/integer $ cat add.c#include <stdio.h>#include <limits.h>int main(void){ int a;// a=2147483647; a=INT_MAX; printf("int a (INT_MAX) = %d (0x%x), int a (INT_MAX) + 1 = %d (0x%x)\n", a,a,a+1,a+1); return 0;}[email protected] ~/labs/integer $ ./addint a (INT_MAX) = 2147483647 (0x7fffffff), int a (INT_MAX) + 1 = -2147483648 (0x80000000)Example5:[email protected] ~/labs/integer $ cat multiplication.c#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <string.h>int main(int argc, char **argv){ int i, j, z=0x00000001; char *tab; if(argc<2) _exit(1); i=atoi(argv[1]); if(i>0) { tab = malloc(i * sizeof(char *)); if(tab == NULL) _exit(2); } for(j=0; j<i; j++) tab[j]=z++; for(j=0; j<i; j++) printf("tab[j]=0x%x\n", tab[j]); return 0;}[email protected] ~/labs/integer $ ./multiplication 1073741824Segmentation fault
常見軟體安全性漏洞範例代碼