Secure Coding: Study of the vulnerability of using gets function

less than 1 minute read

Recently, as the growth of advanced technology, more people concern about digital system vulnerability and the demand is continuously increasing as shown below.

tree

Particularly in C/C++, gets() has been deprecated due to security issue which can cause the program segmentation fault. For this reason, alternative functions are recommended: getdelim() or getline().

In this post, I studied what caused gets deprecated from the given code by gdb.

Following is the code:

#include <stdio.h>

int main() {
    int cookie;
    char buf[80];

    printf("buf: %08x cookie: %08x\n", &buf, &cookie);
    gets(buf);

    if(cookie == 0x000a0d00)
        printf("you win!\n");
}

The address for cookie and buf variables:

char buf[80]: 7efff564 int cookie: 7efff5b4


1. Input: 80 ‘a’ characters

tree


2. input: 81 ‘a’ characters as shown below

tree

Overflow occured on buf, and the contents of cookie changed. i.e. cookie has value of ‘a’


3. input: 82 ‘a’ characters as shown below

tree

Overflow occured on buf, and the contents of cookie changed. i.e. cookie has value of ‘aa’


4. input: 83 ‘a’ characters as shown below

tree

Segmentation fault occured.

Updated:

Leave a Comment