1

I'm learning about security. Here is some sample code I've been given:

#include <stdio.h>
#include <string.h>

char *j; /* use to dump the stack in function cat */

/* Strings to be copied into buffer in function cat */
char str1[] = "";
char str2[] = "";

int main() {

void cat(int *parm) {
   char buffer[8];

   /* Dump the stack for function cat */
   for (j=buffer; j<((char *)&parm); j++)
      printf("%p: 0x%x\n", j, *(unsigned char *)j);

   /* copy str1 followed by str2 into buffer */
   /* note that a \0 remains between str1 and str2 in buffer */
   strcpy(buffer, str1);
   strcpy(&buffer[strlen(str1)+1], str2);

}

   int *arg; /* dummy argument for call to function cat */
   int x;
   x = 0;
   cat(arg);
   x = 1;
   printf("%d\n",x);

}

I'm compiling with GCC. All I'm getting is "1" though. Any ideas why?

Also, my goal is to eventually get the program to print out "0", and achieve this by only adding code to cat(). I can't change anything already there, just add. Any help to get me started in the right direction.

Improve this question
7
  • Functions inside functions? That's a bit weird - who gave you this code? Commented Mar 17, 2012 at 3:13
  • You better hope the compiler hasn't optimized anything. Commented Mar 17, 2012 at 3:14
  • I got this code from a professor at my school, but I don't believe he'll answer emails on the weekend Commented Mar 17, 2012 at 3:18
  • @Carl Norum - IIRC functions inside functions is a gcc extension Commented Mar 17, 2012 at 3:29
  • Sure - I'm just surprised someone actually did it. Commented Mar 17, 2012 at 3:34

3 Answers 3

Reset to default
1

I'm compiling with GCC. All I'm getting is "1" though. Any ideas why?

We can see 

   x = 1;
   printf("%d\n",x);

so that is likely the only print statement actually being run.

So I infer that for (j=buffer; j<((char *)&parm); j++) is never entered. Which is a bit weird. I'd expect a downward growing stack, so I'd expect the address of the parameter parm to be higher than buffer.

What machine are you using? Try printing the values of buffer and &parm, e.g.

void cat(int *parm) {
   char buffer[8];

   printf("buffer=%p\n", buffer);
   printf("&parm=%p\n", &parm);

...

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

buffer=0x7fffcbf8cb00 &parm=0x7fffcbf8caf8 1
anything I can do to fix how my stack grows?
No recommendations. I'm running the newest version of Ubuntu.
Do you have some weird compiler flags?
Normal Ubuntu installation. Just compiling with -Wall.
|
0

Your trampoline code compiles fine for me: gcc -o tramp tramp on Linux 2.6.24, $ gcc --version gcc (GCC) 4.3.4 20090804 (release) 1

My output:

jim@jim-HP ~ $ cc tramp.c -o tramp

jim@jim-HP ~ $ tramp

0x28ccf0: 0x4
0x28ccf1: 0x6f
0x28ccf2: 0x24
0x28ccf3: 0x61
0x28ccf4: 0x6
0x28ccf5: 0x6f
0x28ccf6: 0x24
0x28ccf7: 0x61
0x28ccf8: 0x28
0x28ccf9: 0xcd
0x28ccfa: 0x28
0x28ccfb: 0x0
0x28ccfc: 0xa8
0x28ccfd: 0x11
0x28ccfe: 0x40
0x28ccff: 0x0
1

Is that what you meant by 'all I got was 1'?

Improve this answer

Comments

0

I get the same results with gcc 4.6.2 on 64-bit Linux, whether I use native 64-bit compilation or make a 32-bit executable with -m32. Looking at the assembly code produced by gcc -S, the issue is that gcc is making a local copy of parm in the stack frame of cat, with an address lower than buffer.

Now in the case of 64-bit code gcc has no choice on that point, since the argument is passed in a CPU register, and there would be no other way to give parm an address for the &parm operation. However, for some reason gcc makes a local copy of parm even in 32-bit code, where it would have a perfectly fine copy already in the stack.

In any case I think all this is a side issue for your homework: you can get a better upper bound for the loop by passing something useful in parm and then use parm instead of &parm at the loop bound in cat.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.