Am i vulnerable, Where?

Question

Netcode 33 Veteran Poster

10 Years Ago

#include <stdlib.h>
    #include <string.h>
     int main(int argc, char *argv[]) {
     char *first, *second, *third;
     first = malloc(888);
     second = malloc(22);
     third = malloc(22);
     strcpy(first, argv[1]);
     strcpy(second, argv[2]);
     free(first);
     free(second);
     free(third);
     return(0);
     }

Like I said before, I need help learning C and trying to figure out my errors. With this code, am I vulnerable in terms of memory allocation? Could an attacker take advantage? If yes, please help me with your recommendations and guides

Thanks

c memory-allocation

4 Contributors
5 Replies
201 Views
3 Weeks Discussion Span
Latest Post 10 Years Ago Latest Post by deceptikon

All 5 Replies

Suzie999 245 Coding Hobbyist

10 Years Ago

I'd say yes you are.

You don't know the size of string you are copying into your buffers, so could cause overflow.

Maybe strncpy would be better, I believe only amount of chars specified are copied, but you have to terminate it yourself.

Edited 10 Years Ago by Suzie999

deceptikon 1,790 Code Sniper

10 Years Ago

Your code performs precisely zero length, existence, or success checks, so it's absolutely vulnerable to malicious use. It's also brittle in the face of legitimate use. Let's add a few checks to make it better:

#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
    char *first, *second;

    first = malloc(888);
    second = malloc(22);

    if (first != NULL && argc > 1) {
        first[0] = '\0';
        strncat(first, argv[1], 887);
    }

    if (second != NULL && argv > 2) {
        second[0] = '\0';
        strncat(second, argv[2], 21);
    }

    free(first);
    free(second);

    return(0);
}

Of course, in practice the arguments may be required and/or related to each other, in which case the tests would be different. Right now they're entirely independent.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Edward_3 0 Newbie Poster · Answer 1 · 2014-03-31T15:39:28+00:00

Hi,
You should check length of string by using strlen(argv[i]), then calculate size of first, second, and so on, that is N = (strlen(argv[i]) + 1). Okay, now you can allocate room for the string:

first = (char *)malloc(sizeof(char) * N);

Check the allocating is okay then copy string from argv[i] to first, second, and so on.
Hope this helps!

Netcode 33 Veteran Poster · Answer 2 · 2014-04-21T15:00:10+00:00

Thanks guys, though am trying to put things together. Got some more help from a friend and he talked about "unlink technique" Does that show up any where on the code?

deceptikon 1,790 Code Sniper Team Colleague Featured Poster · Answer 3 · 2014-04-21T21:16:04+00:00

Got some more help from a friend and he talked about "unlink technique"

Sounds like non-standard terminology. Did he go into detail about what that means?

Am i vulnerable, Where?

Recommended Answers Collapse Answers

All 5 Replies

Recommended Answers