tags:

views:

773

answers:

11
+10  Q: 

What C/C++ functions are most often used incorrectly and can lead to buffer overflows?

I've been asked to maintain a large C++ codebase full of memory leaks. While poking around, I found out that we have a lot of buffer overflows that lead to the leaks (how it got this bad, I don't ever want to know).

I've decided to removing the buffer overflows first, starting with the dangerous functions. What C/C++ functions that are most often used incorrectly and can lead to buffer overflow?

For compiler and/or tools used to help look for buffer overrun, I've created another question that deals with this

+2  A: 

Here's some functions that I found that are dangerous:

  • gets() - It doesn't check the length of the variable and can overwrite memory if the input is bigger than the variable's buffer.
  • scanf() - I'm so glad that Visual Studio told me this function is deprecated. This was an easy fix.
  • strcpy() - If the source's memory space is bigger than the destination's, the data after the destination is overwritten.
MrValdez  2008-10-03 14:34:17
+2  A: 

The following link should give you a comprehensive look at security functions in C++ (ones that are post-fixed with '_s' to fix problems like overflows): http://msdn.microsoft.com/en-us/library/8ef0s5kh(VS.80).aspx

EDIT: This link contains the specific functions that have been replaced: http://msdn.microsoft.com/en-us/library/wd3wzwts(VS.80).aspx

EDIT: I should mention these are Microsoft methods, but the link is still useful for identifying functions that were deemed a red flag.

j0rd4n  2008-10-03 14:36:07
These are non-portable Windows-specific functions, however.
Alex B  2008-10-03 14:40:01
Yes, but they identify functions that are a problem.
j0rd4n  2008-10-03 14:45:26
+2  A: 

Unfortunately any array can result in a buffer overflow:

uint32_t foo[3];
foo[3] = WALKED_OFF_END_OF_ARRAY;

In terms of functions, sprintf will happily walk off the end of the buffer. It can be replaced by snprintf.

DGentry  2008-10-03 14:36:43
+6  A: 

In general, any function that does not check bounds in the arguments. A list would be

  • gets()
  • scanf()
  • strcpy()
  • strcat()

You should use size limited versions like stncpy, strncat, fgets, etc. Then be careful while giving the size limit; take into consideration the '\0' terminating the string.

Also, arrays are NOT bound checked in C or C++. The following example would cause errors. See off by one error

int foo[3];
foo[3] = WALKED_OFF_END_OF_ARRAY;

edit: Copied answers of @MrValdez , @Denton Gentry

hayalci  2008-10-03 14:37:06
I disagree: functions which check bounds in the arguments are still dangerous. If you can overrun with strcpy, you can overrun with strncpy by getting the bound wrong, (e.g. increment the pointer and forget to decrement the bound). To protect yourself, use std::string or equivalent C string lib.
Steve Jessop  2008-10-03 16:11:05
A shorter summary might be "the C functions risk overflows. The C++ functions generally do not"
Aaron  2008-10-03 18:08:43
When using strnxxx versions, beware that they may produce a string that is not null-terminated
Arkadiy  2008-10-03 20:04:26
A: 

Basically, anything which accept a pointer and writes to it, without checking the length. So thing like strcpy(), sprintf() etc.

James Curran  2008-10-03 14:38:40
+2  A: 

Memcpy() is another dangerous one.

Any loop accessing an array is a danger point, because there's no stopping going beyond the end of array.

Memory Leaks are caused by allocating memory, and not freeing it. Constructor and destructors should be another strong review point, the latter to make sure any allocated memory is freeded.

Thomas Jones-Low  2008-10-03 14:39:33
memcpy isn't that dangerous, since it accepts a length parameter, so as long as the destination buffer is in sync with the length (both of which should be under the developer's control), it doesn't matter if the source buffer is compromised.
James Curran  2008-10-03 16:10:03
+2  A: 

Which version of visual studio are you using? In 2008 with all warnings enabled, all the functions you mention (and more) warn you that they are deprecated.

Perhaps you could check that all warnings are turned on and let the compiler do the hard work for you?

As a side note, the excellent writing secure code does a great job explaining the different the pitfalls of some of the older functions.

John Sibly  2008-10-03 14:43:24
I've opened another question (http://stackoverflow.com/questions/167199/what-cc-tools-can-check-for-buffer-overflows) that deals with tools for helping me look for functions that can create overflows.
MrValdez  2008-10-03 14:55:00
+2  A: 

I have somewhat the same problem on the code base I work on. My advice: be wary of any C functions that look like str*() and mem*(). Also be wary of anything that takes a pointer to a buffer, without a length. Since it seems like you have the chance to use C++ I would in the most egregious cases try to use C++ containers for things: vector, string, map, etc. These make your life a lot easier.

Also, automated problem detection tools are wonderful to have. If you can use valgrind I would recommend it. Also Rational Purify is extremely powerful, though not cheap.

 2008-10-03 14:43:28
+3  A: 

The question is starting at the wrong end, I'm afraid. It's presuming that buffer overruns happen in other functions. The most common cause is operator++, in my experience, or alternatively a lack of operator!=.

The best solution to find a batch of those is /GS in Visual Studio 2005/8. It won't find all of them, but it's a cheap way to reduce the amount of manual work needed.

MSalters  2008-10-03 15:08:02
+3  A: 

Valgrind is your new best friend.

valgrind --tool=memcheck --leak-check=full ./a.out

dicroce  2008-10-03 15:11:03
A: 

An additional gotcha in C is the "strncpy()" function. Many people do not realize that it is free to return a string that is not null terminated.

jdkoftinoff  2009-06-08 00:11:36

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS