What tool can catch buffer overflows in C?

Question

So I have this simple piece of code which demonstrates a simple buffer overflow:

#include <stdio.h>

int main(void)
{
    char c[4] = { 'A', 'B', 'C', 'D' };
    char d[4] = { 'W', 'X', 'Y', 'Z' };

    printf("c[0] is '%c'\n", c[0]);

    d[4] = 'Z'; /* Overflow that overwrites c[0] */

    printf("c[0] is '%c'\n", c[0]);

    return 0;
}

The output:

$ ./a.out
c[0] is 'A'
c[0] is 'Z'

I have tried compiling this code with the following gcc options and it passed with flying colors:

gcc -Wall -Wextra -Wformat=2 -Wswitch-default -Wcast-align -Wpointer-arith \
    -Wbad-function-cast -Wstrict-prototypes -Winline -Wundef -Wnested-externs \
    -Wcast-qual -Wshadow -Wwrite-strings -Wconversion -Wunreachable-code \
    -Wstrict-aliasing=2 -ffloat-store -fno-common -fstrict-aliasing \
    -Wstack-protector -fstack-protector-all -std=c99 -pedantic -O0 -ggdb3

I also tried libefence and valgrind. I expected libefence to pass since it's made to catch out of bounds read/writes on the heap, but I was surprised that valgrind passed.

This code does not produce a Segfault since c[4] and d[0] happen to overlap and I think it is this that is causing tools to miss it.

So, what out there CAN catch this? Something free that works on Linux would be nice.

Answer 1

If it is on linux I would try out valgrind first, I think it will handle it.

Edit: If it is like SiegeX says I guess valgrind doesn't (which makes sense because it have no way to insert guards on the stack as it is only involved in the process runtime). It is however a good tool anyway that is worth having in your toolbox so I will keep the post.

Answer 2

I think there's an implied null character in this case, since you're referencing a literal string. Hence, d[4] is still in bounds (imagine d as const char*)....I may be incorrect though.

Answer 3

As valgrind works on binary, it did not see anything wrong with this code. Check these (http://www.thefreecountry.com/programming/debuggers.shtml) static source code analyzers, they should find. If they do not work, PC-lint (http://www.gimpel.com/html/pcl.htm) will handle this....

Answer 4

GuardMalloc/libgmalloc???

Answer 5

Rational Purify works quite well with detecting buffer overflows, memory leaks, corruptions, etc. It is pretty expensive, though.

The mem package mentioned in this SO answer may be another option.

Answer 6

Coverity (a static analysis tool) will catch this.

Answer 7

Try cppcheck.

Answer 8

Buffer overflows are fairly hard to catch in C since they don't happen until runtime. To minimize the chance of causing one you should use the somewhat safer standard library functions that do some bounds checking -- e.g. fgets() instead of gets().

If your manipulating a lot of arrays manually you should probably write unit tests to check edge cases in your algorithms. Cmockery is an example a unit test framework for C.

Answer 9

Valgrind doesn't catch overflows in automatic and static storage. At least not by default. IIRC to make it work you should either turn on some option or run of the "in development" tools that comes with it, not the default "memcheck".

Answer 10

visual studio (with -Zi I think, but I could be wrong) catches this sort of assignment with its runtime stack checker. It's not the free linux solution you preferred, but does work nicely.

Answer 11

Try with Bugfighter C/C++.

I use it every day and it works fine, even with multidimensional array like array[5][5][5].

The Bugfighter web page is www.bugfighter-soft.com.

Bye