常见软件安全漏洞样例代码

缓冲区溢出:

 1 Example1.1 2         ...
 3     char buf[BUFSIZE]; 
 4     gets(buf);//user control
 5     ...
 6 
 7 Example1.2(c++):
 8     ...
 9     char buf[BUFSIZE]; 
10     cin >> (buf);//user control
11     ...
12 
13 Example2:
14     ...
15     char buf[64], in[MAX_SIZE];
16     printf("Enter buffer contents:\n");
17     read(0, in, MAX_SIZE-1);
18     printf("Bytes to copy:\n");
19     scanf("%d", &bytes);//user control
20     memcpy(buf, in, bytes);
21     ...
22     char *lccopy(const char *str) {
23         char buf[BUFSIZE];
24         char *p;
25     
26         strcpy(buf, str);
27         for (p = buf; *p; p++) {
28              if (isupper(*p)) {
29                 *p = tolower(*p);
30             }
31         }    
32         return strdup(buf);
33     }
34 
35 Example4:
36     if (!(png_ptr->mode & PNG_HAVE_PLTE)) {
37         /* Should be an error, but we can cope with it */
38         png_warning(png_ptr, "Missing PLTE before tRNS");
39     }
40     else if (length > (png_uint_32)png_ptr->num_palette) {
41         png_warning(png_ptr, "Incorrect tRNS chunk length");
42         png_crc_finish(png_ptr, length);
43         return;
44     }
45     ...
46     png_crc_read(png_ptr, readbuf, (png_size_t)length);
47 
48 Example5:
49     void getUserInfo(char *username, struct _USER_INFO_2 info){
50         WCHAR unicodeUser[UNLEN+1];
51         MultiByteToWideChar(CP_ACP, 0, username, -1,
52                             unicodeUser, sizeof(unicodeUser));
53     NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);
54     }

格式化字符串:

 1 Example1:
 2     int main(int argc, char **argv){
 3         char buf[128];
 4         ...
 5         snprintf(buf,128,argv[1]);
 6     }
 7 
 8 Example2:
 9 printf("%d %d %1$d %1$d\n", 5, 9);
10 
11 Example3:
12     ...
13     syslog(LOG_ERR, cmdBuf);
14     ...
15 
16 Example4:
17 #include <stdio.h>
18 
19 void printWrapper(char *string) {   
20   printf(string);
21 }
22 
23 int main(int argc, char **argv) {   
24   char buf[5012];    
25   memcpy(buf, argv[1], 5012);    
26   printWrapper(argv[1]);    
27   return (0);
28 }

整数溢出:

Example1:
short int bytesRec = 0;
char buf[SOMEBIGNUM];

while(bytesRec < MAXGET) {
  bytesRec += getFromInput(buf+bytesRec);
}

Example2:
    nresp = packet_get_int();
    if (nresp > 0) {
     response = xmalloc(nresp*sizeof(char*));
     for (i = 0; i < nresp; i++)
      response[i] = packet_get_string(NULL);
    }

Example3:
     char* processNext(char* strm) {
     char buf[512];
     short len = *(short*) strm;
     strm += sizeof(len);
     if (len <= 512) {
      memcpy(buf, strm, len);
      process(buf);
      return strm + len;
     } else {
      return -1;
     }
    }

Example4:
rezos@bezel ~/labs/integer $ cat add.c
#include <stdio.h>
#include <limits.h>

int main(void)
{
 int a;

//  a=2147483647;
 a=INT_MAX;

 printf("int a (INT_MAX) = %d (0x%x), int a (INT_MAX) + 1 = %d (0x%x)\n", a,a,a+1,a+1);

 return 0;
}

rezos@bezel ~/labs/integer $ ./add
int a (INT_MAX) = 2147483647 (0x7fffffff), int a (INT_MAX) + 1 = -2147483648 (0x80000000)

Example5:
rezos@bezel ~/labs/integer $ cat multiplication.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

int main(int argc, char **argv)
{
 int i, j, z=0x00000001;
 char *tab;

 if(argc<2) _exit(1);

 i=atoi(argv[1]);

 if(i>0) {
   tab = malloc(i * sizeof(char *));
   if(tab == NULL) _exit(2);
 }

 for(j=0; j<i; j++)
   tab[j]=z++;

 for(j=0; j<i; j++)
   printf("tab[j]=0x%x\n", tab[j]);

 return 0;
}

rezos@bezel ~/labs/integer $ ./multiplication 1073741824
Segmentation fault

 

posted on 2014-12-11 20:52  Fish_Ou  阅读(1380)  评论(0编辑  收藏  举报

Powered by: 博客园 Copyright © 2024 Fish_Ou
Powered by .NET 9.0 on Kubernetes