Bypass memory corruption limitations

Question

Assuming you are security code auditing guy and you have been got into some code like this:

if(strlen(data) < 100) {
     strcpy(buffer, data);
}

What would you do in order to corrupt the buffer? Is that possible? if so, how? and why dont using that condition for code security?

Answer 1

One obvious answer is if buffer isn't at least 101 chars long, a specific case of which is when the programmer forgot that the null-terminator is copied as well (if the buffer is exactly 100 chars long). There are two more subtle attack vectors I can see off the top of my head:

1. data may border on non-readable memory and not contain a null-terminator. This would cause a segmentation fault or access violation, but not memory corruption directly.

2. data and buffer could overlap when treated as strings. The behavior is undefined in this case.

As an example of the second attack, take the following code:

#include <stdio.h>
#include <string.h>

int main(void)
{
    char someImportantString[] = "Something that should not be overwritten";
    char buffer[101] = "\0goodbye cruel world";
    char data[16] = {'h', 'e', 'l', 'l', 'o',' ','w','o','r','l','d',
                     'x','x','x','x','x'};                         

    if(strlen(data) < 100)
    {
         printf("Probably not good\n");
         strcpy(buffer, data);
    }

    return 0;

}

The likely result of this is overwriting a lot of memory and then seg-faulting.