Some help with a small piece of code

Question

Hi everyone I am trying to understand a question set to me by my lecturer. The textbook given to us doesn't provide any information on it as well. Below is an example of a code that the lecturer wants us to edit so that it is no longer vulnerable to buffer overflow attacks. Normal 0 false false false EN-AU X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:Table Normal; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:Calibrisans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} int copy_buf(char *to int pos char *from int len) { int i; for (i=0; i to[pos] = from[i]; pos++; } return pos; } does anyone have any ideas how to do this? or able to solve this? - Thanks

Ryan Alford · Answer

could Annoying Truth possibly be the instructor of the class? if so.....somebody just got BUSTED.

Annoying Truth · Answer

First of all I'm going to assume you are from Deakin University studing SIT182. Mostly due to the impeccable timing of your question. :) Secondly the code section from the book is actually C code not C# code it says so in the question and in the book. Why Deakin has used this C example to the Assignment despite the fact they only teach C# in first year I don't know. Thirdly I hope you reference this thread correctly or you will be busted for plaguarism if I can find it via Google the software they use to detect plaguarism probably will. Plagiarism is the copying of another person's ideas or expressions without appropriate acknowledgment and presenting these ideas or forms of expression as your own. And finally if you read the template document (Assignment 1) in the marking area it gives hints. [Marking scheme: new parameter = 1 mark; selection statement=1 mark; check for buffer overflow = 2 marks; completeness of code = 1 mark] Which basically means they expect you to add a new parameter to the function and use a control structure to check for the buffer overflow. If you check the pages in the book around the specified Figure mentioned in the question it gives you the answer logic just not the code. Also if you read the pages around the Figure it has a sentence which explains why looking for \0 is not suitable Hope that helps

Kev Li · Answer

Thanks very much for your replies Alan.

Alan · Answer

Incidentally although I'm cheating a bit in the context of the question the easiest way of all to prevent a buffer overflow is to avoid unsafe code altogether and replace the char* parameters with char[] parameters. C#'s automatic array bounds checking will then ensure that a buffer overflow isn't possible: using System; class Program { static void Main() { // test data string toBuffer = new string(' ' 10); // fill with ten spaces string fromBuffer = Hello; Program p = new Program(); char[] to = toBuffer.ToCharArray(); char[] from = fromBuffer.ToCharArray(); int result = p.copy_buf(to 7 from 6); if (result > -1) { toBuffer = new string(to); Console.WriteLine(The buffer was successfully copied); Console.WriteLine(The 'to' buffer now contains the string '{0}'toBuffer); } Console.ReadLine(); } int copy_buf(char[] to int pos char[] from int len) { if (pos { Console.WriteLine(pos is too small); return - 1; } if (len { Console.WriteLine(len is too small); return - 1; } Console.WriteLine(Size of 'to' buffer is {0} to.Length); Console.WriteLine(Size of 'from' buffer is {0} from.Length); try { int i; for (i=0; i to[pos] = from[i]; pos++; } } catch (Exception ex) { Console.WriteLine(ex.Message); return -1; } return pos; } }

Alan · Answer

OK now we've established that it is C# code here's how could modify it to check for buffer overflows. For convenience I've posted the full test app.If you're compiling from the command line (as opposed to VS) don't forget to specify the /unsafe switch: using System; unsafe class Program { static void Main() { // test data string toBuffer = new string(' ' 10); // fill with ten spaces string fromBuffer = Hello; Program p = new Program(); int result; fixed (char* to = toBuffer from = fromBuffer) { result = p.copy_buf(to 7 from 6); } if (result > -1) { Console.WriteLine(The buffer was successfully copied); Console.WriteLine(The 'to' buffer now contains the string '{0}'toBuffer); } Console.ReadLine(); } int copy_buf(char *to int pos char *from int len) { if (pos { Console.WriteLine(pos is too small); return - 1; } if (len { Console.WriteLine(len is too small); return - 1; } // find length of 'to' buffer int toLen = 0; char* cp = to; while (*cp++ != '\0') toLen++; // find length of 'from' buffer int fromLen = 0; cp = from; while (*cp++ != '\0') fromLen++; Console.WriteLine(Size of 'to' buffer is {0} toLen); Console.WriteLine(Size of 'from' buffer is {0} fromLen); int errorValue = 0; if (len > fromLen) { Console.WriteLine(Attempted to overrun 'from' buffer by copying {0} characters len); errorValue = -1; } if (pos + len > toLen) { Console.WriteLine(Attempted to overrun 'to' buffer by copying {0} characters from index of {1} onwards len pos); errorValue = -1; } if (errorValue == -1) return -1; // safe now to do buffer copy int i; for (i=0; i to[pos] = from[i]; pos++; } return pos; } }

Kev Li · Answer

Please would anyone care to show me where the changes are needed or do it? My C# skills aren't that sharp.

Kev Li · Answer

Thanks its weird the textbook (Computer Security: Principles and Practice William Stallings) says its an unsafe byte copy. I am pretty new to C# so was hoping someone could point out where the changes would be at.

Alan · Answer

This looks like an exercise in C programming to me though what you've shown is valid C# in an 'unsafe' context. Given no information on the size of the 'to' or 'from' buffers what I'd suggest you do is find out how big they are by iterating though the chars until you reach the '\0' char. You can then check whether or not adding 'len' chars from 'pos' onwards will overflow either buffer and if it will issue an appropriate error message.