A buffer overflow error occurs when a program unintentionally writes to a memory area that's out of bounds for the buffer
it intended to write to.
Consequences
A buffer overflow generates the following runtime errors:
- memory corruption (with an unpredictable failure in the future)
- segmentation fault
Detecting the error
The Memory Analysis tool can detect a limited number of possible buffer overflows with following conditions:
- when the overflow buffer belongs to the heap area
- when the overflow occurred within the block's memory overhead (typically, the overflow is over by 1, and the overflow is trapped
in the free function)
- when the overflow is corrupting the heap. Typically, with a large enough index (or negative index), you can write data into
next block area, thereby making all of the heap unusable. This error is trapped in the following allocation functions: malloc, calloc, realloc, free.
- when the overflow occurred in a library function:
strcat
strdup
strncat
strcmp
strncmp
strcpy
strncpy
strlen
strchr
strrchr
index
rindex
strpbrk
strspn
strcspn
strstr
strtok
memccpy
memchr
memmove
memcpy
memcmp
memset
bcopy
bzero
bcmp
Enabling error detection
To enable error detection for a buffer overflow or underflow:
- In the Launch Configuration window, select the Tools tab.
- Select Enable error detection checkbox.
- To detect an immediate overflow, select Verify parameters in string and memory functions.
- To detect a small overflow in block's memory overhead area, select Enabled bounds checking (where possible).
- To detect a corrupted heap, caused by overflowing other regions, select Perform full heap integrity check on every allocation/deallocation.
Message returned to the QNX IDE
In the IDE, you can expect the message for this type of memory error to include the following types of information and detail:
- Messages
-
allocator inconsistency - Malloc chain is corrupted, pointers out of order
-
allocator inconsistency - Malloc chain is corrupted, end before end pointer
-
pointer does not point to heap area
-
possible overwrite - Malloc block header corrupted
-
allocator inconsistency - Pointers between this segment and adjoining segments are invalid
-
data has been written outside allocated memory block
-
pointer points to heap but not to a user writable area
-
allocator inconsistency - Malloc segment in free list is in-use
-
malloc region doesn't have a valid CRC in header
- Other parameters
- Severity: ERROR
- Pointer: pointer that points outside of buffer
- TrapFunction: memory or string function where the error was trapped (the error can also occur before the actual function in
error)
- Operation: UNKNOWN, malloc, malloc-realloc, calloc
— how memory was allocated for the memory region we are referencing
- State: In Use or FREED
For a list of error messages returned by the Memory Analysis tool, see Summary of error messages for Memory Analysis.
How to address buffer overflow errors
Locate the code where the actual overflow occurred. Ensure that the size of the memory region is always accompanied by the
pointer itself, verify all unsafe operations, and that the memory region is large enough to accommodate the data going into
that location.
Example
The following code shows an example of a buffer overflow trapped by a library function:
int main(int argc, char ** argv){
char * ptr = NULL;
ptr = malloc(12);
strcpy(ptr,"Hello World!");
return 0;
}
The following code shows an example of a buffer overflow trapped by a post-heap check in a free function:
int main(int argc, char ** argv){
char * ptr = NULL;
ptr = malloc(12);
ptr[12]=0;
free(pre);
return 0;
}