Spot the Bug! : Spot the Bug - October 24, 2005

Monday, October 24, 2005 8:34 PM rsamona

Spot the Bug - October 24, 2005

It has been a while since the last bug was up. We certainly had some great discussion around it. I will try to get more bugs up on the site on a regular basis to keep everyone on their toes at all times :-)
Courtesy of Neelay Shah, Consultant (Foundstone)

#define MAX_STR_LEN 255

char strUserInput[MAX_STR_LEN+1];

scanf(“%s”, &strUserInput);

Solution

#define MAX_STR_LEN 255

char strUserInput[MAX_STRING_LEN+1];

fgets(strUserInput,MAX_STR_LEN+1,stdin);

Everyone figured out that in the bad way of programming the ‘scanf()’ function is used to read the user input from the console. Now, scanf() does not check for the length of the input string and if a malicious user enters a string longer than the maximum length it will lead to overwriting the memory following ‘strUserInput’. There is more than one good way to fix this. In our solution, we use the ‘fgets()’ function to read the user input and using which you can control the maximum length of the user input. This is a case of buffer overflow and perhaps easy but I added it because I think it is still very prevalent.

Filed under: Bug Squashed

Comments

# re: Spot the Bug - October 24, 2005

Tuesday, October 25, 2005 12:14 AM by TAG

scanf("%255s", &strUserInput);

# re: Spot the Bug - October 24, 2005

Tuesday, October 25, 2005 4:07 AM by SiM

scanf receives (char **)

# re: Spot the Bug - October 24, 2005

Tuesday, October 25, 2005 8:11 AM by KMariusT

scanf("%.255",strUserInput);

# re: Spot the Bug - October 24, 2005

Wednesday, October 26, 2005 6:19 AM by ilja

A bit too trivial ?

It's not really fun to "spot the bug" when there are only 2 lines of code staring you in the face and are shouting "I'm a bufferoverflow !!!!!!!!"

# re: Spot the Bug - October 24, 2005

Thursday, October 27, 2005 5:20 AM by sourabhm

So it's an Stack Overrun.

SOM

# re: Spot the Bug - October 24, 2005

Friday, October 28, 2005 9:58 PM by APJ

The variable declaration char strUserInput[MAX_STR_LEN+1]; creates an array of characters that is of size MAX_STR_LEN + 1. The call to scanf("%s", &strUserInput); is passing a pointer to the array (which is actually a pointer. Hence the scanf will attempt to insert the string located at the address of the pointer strUserInput, thus generating undefined results. The error would likely exhibit itself as incorrect string output, or as a address out of range if a nil value is not encountered.

# re: Spot the Bug - October 24, 2005

Monday, November 07, 2005 9:35 AM by Neoecs

I would be glad if someone posted a the same code, but without the bug too, then I would learn something too. ;P

# re: Spot the Bug - October 24, 2005

Tuesday, November 08, 2005 1:18 AM by abhinav

too many comments but please provide the right answer aaswell..

# re:Spot the Bug - October 24, 2005

Tuesday, November 08, 2005 4:12 AM by Nestos

I suppose, the answer is :
scanf("%s",strUserInput,MAX_STR_LEN+1);

# re: Spot the Bug - October 24, 2005

Wednesday, November 09, 2005 4:52 PM by anonymous

You could also chop off the end... (assuming you insisted on using scanf)

char strUserInput[MAX_STR_LEN+1];
scanf(“%s”, &strUserInput);
strUserInput[sizeof(strUserInput)/sizeof(*strUserInput)] = '\0';

This way, if the input is shorter than MAX_STR_LEN, then scanf will add a null terminator to the end of the string. Otherwise, this code will take the first 255 characters and then add a null terminator to the end.

# re: Spot the Bug - October 24, 2005

Thursday, November 10, 2005 6:33 AM by ryk

Erase that pointer reference, and notice that your array is not 255 length, so:

scanf("%.256s", strUserInput);

that is my suggestion ;P

# re: Spot the Bug - October 24, 2005

Monday, November 14, 2005 4:00 PM by iKrain

the answer would be:
char strUserInput[MAX_STR_LEN+1];
scanf("%s", strUserInput);

due to strUserInput is an array and is already a pointer to the first position in the array.

# re: Spot the Bug - October 24, 2005

Wednesday, November 16, 2005 7:38 PM by nachix

No one has noticed that there's two errors on the code. The first one is not checking the length of the user input. The second one is passing a pointer to the pointer of the char array, so the correct code would be:

scanf("%.256s", strUserInput);

Also, you could use some other input function that checks the input size.

# Spot the Bug Spot the Bug October 24 2005 | Best Eye Cream

Tuesday, June 09, 2009 4:04 PM by Spot the Bug Spot the Bug October 24 2005 | Best Eye Cream

PingBack from http://besteyecreamsite.info/story.php?id=1635

New Comments to this post are disabled

Spot the Bug!

Search

Tags

News

Archives

Spot the Bug - October 24, 2005

Comments

# re: Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# re:Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# re: Spot the Bug - October 24, 2005

# Spot the Bug Spot the Bug October 24 2005 | Best Eye Cream