0

I have the following code:

int main(int argc, char *argv[])
{
    char ch[10];
    printf("String 10 max. :: "); gets( ch );

    printf("String: %s\n", ch);

    return 0;
}

When I run this with "12345678" as ch it runs well. The strange thing is when I run with "123456789012345678901234567890"! The second printf prints ALL the string (the 30 chars) to the screen.

Why does this happen? Why doesn't my code crash?

Thanks for your time,
Azteca

Improve this question
4
  • 3
    Because there is no requirement in the standard nor in your compiler's documentation that it must crash. The behavior of your program is undefined, that is, you must have no expectation on how it behaves. This includes the expectation that it crash. Commented Apr 22, 2014 at 17:23
  • probably in your case the "extra" characters don't get overwritten and gets is nice enough to null terminate them (I think) Commented Apr 22, 2014 at 17:25
  • 2
    If programs always crashed on buffer overflow, it wouldn't cause so many security exploits. Commented Apr 22, 2014 at 17:25
  • Just write more, it will eventually crash (or panic if stack cookies are enabled) Commented May 27, 2014 at 7:59

5 Answers 5

Reset to default
1

Buffer overflow is undefined behaviour. It may crash, but no one guarantee that. In most compilers, the stack grows down, so you probably override main's return address, but the call to printf doesn't override your string.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You're not seeing any effect because you don't have any more local variables, change the code to this and you will

int main(int argc, char *argv[])
{
    char ch[10];
    int i=42;

    printf("String 10 max. :: "); gets( ch );

    printf("String: %s\n", ch);
    printf("i: %d\n", i);

    return 0;
}
Improve this answer

3 Comments

Ok ok, but what about the return value. Isn't it a variable of type int?
@azteca1998 You have returned a literal constant 0 not a variable.
also, a simple integer type return variable will be returned in a CPU register, not on the stack. Overrunning the buffer is BAD, if your code was not so simple (nested function calls) not only would be trashing local variables, but also return addresses - meaning your code would trash of function exit because of a corrupted return address.
0

A Buffer overflow only causes a "crash" (i.e., a segmentation fault), if you are trying to read/write from a page that has not been mapped. In that case, the memory management unit catches the error.

If you did not yet reach the end of the page, like in your example, the memory at that point is still valid from the operating system's/processor's point of view - you are just overwriting memory that might be used by another variable.

Improve this answer

Comments

0

By using memory that you are not supposed to use, you are entering the territory of undefined behavior. It doesn't crash today on your machine. But the behavior could change without warning.

For what it's worth, when I run the same code on my cygwin shell, I get 

Segmentation fault (core dumped)
Improve this answer

Comments

0

The effect of a buffer overrun depends entirely what you overwrite, what you overwrite it with, and how the overwritten data is subsequently used.

The method of buffer overrun exploitation involves using the overrun to modify the return address of a function; but returning from main() to the OS may not be quite the same as returning from a function.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.