1617, 1/81 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   ÇØÅ·ÀßÇÏ°í½Í´Ù
   http://¾øÀ½
   stack overflow »çÀÌÆ® ¹ø¿ª

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=8612 [º¹»ç]


https://stackoverflow.com/questions/29910520/why-is-this-code-vulnerable-to-buffer-overflow-attacks

¹ø¿ª»ó ¿µ¾î ½Ç·ÂÀÌ ºÎÁ·Çؼ­ ¿À¿ªÇÑ °ÍÀÌ ÀÖÀ» Áöµµ ¸ð¸¨´Ï´Ù...


int func(char* str)
{
   char buffer[100];
   unsigned short len = strlen(str);

   if(len >= 100)
   {
        return (-1);
   }

   strncpy(buffer,str,strlen(str));
   return 0;
}





Why is this code vulnerable to buffer overflow attacks?
ÀÌ ÄÚµå´Â ¿Ö ¹öÆÛ ¿À¹öÇÃ·Î¿ì °ø°Ý Ãë¾àÁ¡ÀÌ ÀÖ³ª¿ä?

This code is vulnerable to a buffer overflow attack,
ÀÌ ÄÚµå´Â ¹öÆÛ ¿À¹öÇÃ·Î¿ì °ø°ÝÀÇ Ãë¾àÁ¡ÀÌ ÀÖ½À´Ï´Ù.

and I'm trying to figure out why.
±×¸®°í ¿Ö ±×·±Áö Àú´Â ¾Ë¾Æ³¾·Á°í ÇÏ°í ÀÖÁÒ.


I'm thinking it has to do with len being declared a short instead of an int,
lenÀ» int°¡ ¾Æ´Ï¶ó short·Î ¼±¾ðÇؼ­ ¹®Á¦°¡ »ý±ä °Í °°½À´Ï´Ù.


but I'm not really sure.
ÇÏÁö¸¸ È®½ÇÇÏÁö ¾Ê½À´Ï´Ù.








ÇÊÀÚ°¡ ´äº¯À» ÇÏÀÚ¸é...



short (¶Ç´Â signed short)
Å©±â: 2¹ÙÀÌÆ® (16ºñÆ®)
¹üÀ§: -32,768 ~ 32,767
(2ÀÇ º¸¼ö ¹æ½Ä ±âÁØÀ¸·Î -2^15 ~ 2^15 - 1)



unsigned short
Å©±â: 2¹ÙÀÌÆ® (16ºñÆ®)
¹üÀ§: 0 ~ 65,535
(0 ~ 2^16 - 1)




ÇÏÁö¸¸
int func(char *str)·Î ÀÎÀÚ°ªÀ» strÆ÷ÀÎÅ͸¦ ¹Þ´Âµ¥
strÀÇ Å©±â°¡ 65536°³¸¦ ³Ñ¾î¹ö¸®¸é...
¹öÆÛ ¿À¹öÇ÷ο츦 ÀÏÀ¸Å³ ¼ö ÀÖ´Â Ãë¾àÁ¡ÀÌ µÇ´Â °ÍÀÌ´Ù.








±×·¸´Ù¸é... ½ÃÅ¥¿© ÄÚµùÀ» ÇÑ´Ù¸é...

int func(char* str)
{
    char buffer[100];
    size_t len = strlen(str);

    if(len >= sizeof(buffer))
    {
        return -1;
    }

    strncpy(buffer, str, len);
    buffer[len] = '\0'; // ¼öµ¿À¸·Î ³Î Á¾·áÀÚ »ðÀÔ
    return 0;
}
  Hit : 890     Date : 2025/07/09 07:11