Reputation: 16837
Invoke C program with argv[0] as NULL
The following is from a book on secure C coding:
Vulnerabilities can occur when inadequate space is allocated to copy a program input such as a command-line argument. Although argv[0] contains the program name by convention, an attacker can control the contents of argv[0] to cause a vulnerability in the following program by providing a string with more than 128 bytes. Furthermore, an attacker can invoke this program with argv[0] set to NULL:
int main(int argc, char *argv[]) {
/* ... */
char prog_name[128];
strcpy(prog_name, argv[0]);
/* ... */
}
I want to ask how will the attacker invoke the program with argv[0] set to NULL, if argv[0] is the program name ?
Upvotes: 0
Views: 214
Answers (1)
Reputation: 782105
By using the a function like execlp() to start the program, instead of running the program from a shell. All the exec functions require the caller to provide the argv elements explicitly, and they can easily violate the convention.
execlp("program_name", (char *)NULL);
Note that there are actually some uses for this ability. Not specifically argv[0] == NULL, but the option to make argv[0] different from the program name. There's another convention that login shells are run with - as the first character of argv[0] (because the traditional login process doesn't provide a way to pass parameters to the shell).
Upvotes: 7
Related Questions
- When can argv[0] have null?
- C, using argv[] for command line arguments
- Command-line argument not getting passed in
- Using argv in C?
- Can argv[0] contain an empty string?
- Read from argv[0]
- C String Becomes Null
- Handling `argv` in a C command line program
- Why is argv ended by a nullpointer?
- How to pass in a null character in a command line argument in C?