Buffer overflow

A buffer overflow error occurs when a program writes to a memory area that's out of bounds for the buffer it intended to write to.

Consequences

A buffer overflow generates the following runtime errors:
  • memory corruption (may cause an unpredictable failure in the future)
  • segmentation fault

Detecting the error

Depending on which error checks are enabled under Memory Errors in the configuration, the Memory Analysis tool can detect buffer overflows in the following conditions:
  • Verify parameters in string and memory functions—an overflow in the heap area
  • Enabled bounds checking (where possible)—an overflow within an allocated block's memory overhead (typically, the overflow is by 1 byte and is trapped by free)
  • Perform full heap integrity check on every allocation/deallocation—an overflow that corrupts the heap (typically, with a too-large or negative index, you can write data into an adjacent block)
  • Library functions—an overflow that occurs in certain library functions gets trapped (for the list of functions, see the Trap Function field, below)

Information returned by the Memory Problems view

The notification for this type of memory error includes the following details:
  • Severity: ERROR
  • Description: one of:
    • allocator inconsistency - Malloc chain is corrupted, pointers out of order
    • allocator inconsistency - Malloc chain is corrupted, end before end pointer
    • possible overwrite - Malloc block header corrupted
    • allocator inconsistency - Pointers between this segment and adjoining segments are invalid
    • data has been written outside allocated memory block
    • data area is not in use (can't be freed or realloced)
    • pointer points to heap but not to a user writable area
    • allocator inconsistency - Malloc segment in free list is in-use
    • malloc region doesn't have a valid CRC in header
  • Pointer: address that points outside of buffer
  • Trap Function: one of: malloc calloc realloc free strcat strdup strncat strcmp strncmp strcpy strncpy strlen strchr strrchr index rindex strpbrk strspn strcspn strstr strtok memccpy memchr memmove memcpy memcmp memset bcopy bzero bcmp
  • Alloc Kind: how memory was allocated for this block (malloc, calloc, or realloc)
  • Location: source file and line of code where the error occurred (e.g., main.c:59)
  • Count: number of blocks involved

How to address buffer overflow errors

Locate the code where the actual overflow occurred. Ensure that the size of the memory region is always accompanied by the pointer itself, verify all unsafe operations, and confirm that the memory region is large enough to hold the data being copied into it.

Example

The following code shows an example of a buffer overflow that gets trapped by a string function:
int main(int argc, char ** argv) {
  char * ptr = NULL;
  ptr = malloc(12);
  strcpy(ptr,"Hello World!");
  return 0;
}
This next example shows a buffer overflow trapped by a post-heap check in the free function:
int main(int argc, char ** argv){
  char * ptr = NULL;
  ptr = malloc(12);
  ptr[12]=0;
  free(pre);
  return 0;
}