Question

Consider the following function which is called from main(). The meaning is that a substring of str will be copied in buf. The substring is between locations [start, end] of str. Does this program contain a buffer overflow vulnerability? Explain why or why not.

int func(char ∗str, int start, int end) {    ...    char   buf [1024];     if (end−start > 1024) {        printf (“Error - Substring too big\n”);        exit (-1);    }     strcpy (buf,   str);    ...    return 1; }

Answer 1

Answer: Going by the function definition, it is safe to assume that the original string (pointed by str) is of length 1024 and the function tries to copy a substring of the original string in char buff[]. If the original string size is not 1024, please let me know.

Now does this program has a buffer overflow vulnerabiliity ? Yes.

Reason is we created the buffer char buff[] to be size 1024. That is good and ok as original string is also of length 1024. But the problem lies in the fact that we are only checking the difference between the starting and ending index of substring to be copied i.e if end-start <= 1024 we copy it, otherwise not.

What if the start index is 5 and end index is 1029 (for example). In this case end-start = 1029-5 = 1024 which is within the limits defined and the copy operation strcpy(...) will take place. But is this allowed? The end index here is 1029. But str has index range only from 0 to 1023. We cannot access and copy the characters at indexes after 1024 because this is unauthorized or not intended by the programmer.

Hence we need to perform additional checks in addition to checking the difference between end-start > 1024 i.e

If (start <0 || end>1023)

printf("Error - Index out of bounds\n");

exit(-1); //abnormal termination

Please do let me know if you have any questions, queries/need clarifications. Thanks