int func(char* str) { char buffer[100]; unsigned short len = strlen(str); if(len >= 100) { return (-1); } strncpy(buffer,str,strlen(str)); return 0; } this code vulnerable buffer overflow attack, , i'm trying figure out why. i'm thinking has len being declared short instead of int, i'm not sure.
any ideas?
on compilers maximum value of unsigned short 65535.
any value above gets wrapped around, 65536 becomes 0, , 65600 becomes 65.
this means long strings of right length (e.g. 65600) pass check, , overflow buffer.
use size_t store result of strlen(), not unsigned short, , compare len expression directly encodes size of buffer. example:
char buffer[100]; size_t len = strlen(str); if (len >= sizeof(buffer) / sizeof(buffer[0])) return -1; memcpy(buffer, str, len + 1); 