buffer overflow possible in CNI string-handling code?
Bryce McKinlay
bryce@waitaki.otago.ac.nz
Mon Mar 11 18:42:00 GMT 2002
Adam Megacz wrote:
>Bryce McKinlay <bryce@waitaki.otago.ac.nz> writes:
>
>>The end of the stack is guarded by a write-protected page.
>>
>
>Okay, here's where I show my ignorance...
>
>So why do buffer overflows work?
>
>Wouldn't the overflowing strcpy() [that's usually the offending call,
>right?] hit the write-protected page and cause a fault?
>
Because stacks "grow down" in memory (at least on most systems) - ie the
stack frame for a given function is located at a lower address than that
which called it. So (I guess) what happens with a buffer overflow
exploit is that you write over the beginning of the stack frame above
you, for example replacing the saved return address with a location
containing malicious code.
So, provided you do a bounds check which ensures that the the size of
the string being written is not larger than the amount of stack
allocated for it, you are fine. No matter how huge the string is, the
worst that can happen is a crash - it can't overwrite the stack of
another thread, memory containing code, etc.
regards
Bryce.
More information about the Java
mailing list