我无法理解buf1和passin发生了什么main()。我知道在缓冲区溢出后gets(buf1):
- 首先(通过输入超过 15 个字符),我们实际上是在更改调用函数的调用框架
main() - 其次(如果保持输入超过 19 个字符),那么我们将开始更改调用函数的返回地址
main()。
但是为什么在gets( buf1) ( 123456789012345**6**) 中的 16 个字符之后我们得到等于 54 (这是 ASCII 码6)。我们不会溢出pass变量,为什么我们会得到这个pass = 54?
#include <stdio.h>
#include <string.h>
#include <stdbool.h>
#include <stdlib.h>
int CommandInjection(char *varCommand)
{
char cat[] = "cat ";
char *command;
size_t commandLength;
commandLength = strlen(cat) + strlen(varCommand) + 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, varCommand, (commandLength - strlen(cat)) );
system(command); //The function system is executed with the input entered by the user. The input can be dangerous.
return (0);
}
int main(void)
{
char buf1[15];
char varCommand[30];
bool pass = 0;
printf("\nEnter the password: \n(If you enter more than 15 characters you can break the security)\n");
gets(buf1); //Function that does not make bound checking
if(strcmp(buf1, "thepassword"))
{
printf ("\nWrong Password\n PASS=%d", pass);
if(pass==true)
printf ("\nHowever, there was memory corruption and you can enter to other part of the program\n pass=%d", pass);
}
else
{
printf ("\nCorrect Password\n");
pass = true;
}
if(pass == true)
{
// Don't must enter here if the password is wrong
printf ("\nEnter the file name (for example: text.txt; ls -l)\n");
gets(varCommand); //There is no input validation
CommandInjection(varCommand);
}
return 0;
}