Safety is a major league buzzword in the industry today. In many conversations it refers to the dangers, real or imagined, that arise from using data supplied by someone else, through the keyboard, a file, or an Internet connection. The advice you'll get on how to avoid these dangers usually recommends two approaches: Always validate data, and never use dangerous functions. To convince you that this is important, you'll hear slogans whose tone ranges from benign ("I always look both ways before I cross a street, even if it's a one-way street") through condescending ("We shouldn't leave sharp knives around where children can play with them") to outright insulting ("Anyone who uses gets is incompetent").
In the midst of all this we have the C technical report TR 24731 [1], which provides a set of replacements for the Standard C string-handling functions that are intended to "promote safer, more secure programming" [2]. In this column, I look at the nature of the problem that the functions in TR 24731 address, how the TR addresses the problem, and other ways it can be addressed in real-world code.
Buffer Overruns
Remember when you wrote code like this?
char buf[4]; strcpy(buf, "abcd");
Most of the time it would work. That is, the program would run to completion, doing what you expected it to do. But once in a while, a program with code like this would crash, and you'd have to fire up the debugger [3].
Now that you're more sophisticated, this kind of error takes on a more subtle form:
char buf[MAX_LINE}; gets(buf);
This code assumes that standard input has been redirected from a file consisting of lines that hold no more than MAX_LINE characters. If there's a longer line, there's no telling what will happen. For example, if standard input has not been redirected, users at the terminal can type anything at all, and will almost certainly at some point type something that's longer than any reasonable value of MAX_LINE.
In both of these cases, the extra characters get written to the memory locations beyond the end of buf. If there are other auto variables in the function that execute this code, they might get overwritten. This, of course, puts your program into an unanticipated state, which it probably can't handle. If you're lucky, it will crash immediately. If not, it continues to run with corrupted data and produces results that don't make sense.
But it's not just data that's vulnerable. A function's return address is stored on the stack along with its auto variables, so instead of overwriting your program's data, the buffer overrun can overwrite the return address. When the function returns, the processor jumps back to an address that doesn't make sense, and the program crashes.
Malicious users can deliberately feed bad data to a program with this sort of error to make it crash. When that's done through the Internet, it's one of the forms of a Denial of Service attack: If a web site's programs keep crashing, the web site can't be used for much.
Crashing someone else's program is fun for a while, but it soon gets boring. A much more exciting kind of exploit requires more sophistication. The attacker puts some assembly code into a buffer somewhere, then overwrites the function's return address with a new address that points to the assembly code. When the function returns, it jumps to the intruder's code, and he's in control [4].
So, obviously, you shouldn't write code that allows buffer overruns. The problem, of course, is how to prevent them.