A buffer overflow error occurs when a program writes to a memory area that's out of bounds for the buffer it intended to
write to.
Consequences
A buffer overflow generates the following runtime errors:
- memory corruption (may cause an unpredictable failure in the future)
- segmentation fault
Detecting the error
Depending on which error checks are enabled under
Memory Errors in the configuration,
the Memory Analysis tool can detect buffer overflows in the following conditions:
- Verify parameters in string and memory functions—an overflow in the heap area
- Enabled bounds checking (where possible)—an overflow within an allocated block's memory
overhead (typically, the overflow is by 1 byte and is trapped by free)
- Perform full heap integrity check on every allocation/deallocation—an overflow that
corrupts the heap (typically, with a too-large or negative index, you can write data into an adjacent block)
- Library functions—an overflow that occurs in certain library functions gets trapped (for the list of
functions, see the Trap Function field, below)
Information returned by the Memory Problems view
The notification for this type of memory error includes the following details:
- Severity: ERROR
- Description: one of:
-
allocator inconsistency - Malloc chain is corrupted, pointers out of order
-
allocator inconsistency - Malloc chain is corrupted, end before end pointer
-
possible overwrite - Malloc block header corrupted
-
allocator inconsistency - Pointers between this segment and adjoining segments are invalid
-
data has been written outside allocated memory block
-
data area is not in use (can't be freed or realloced)
-
pointer points to heap but not to a user writable area
-
allocator inconsistency - Malloc segment in free list is in-use
-
malloc region doesn't have a valid CRC in header
- Pointer: address that points outside of buffer
- Trap Function: one of:
malloc
calloc
realloc
free
strcat
strdup
strncat
strcmp
strncmp
strcpy
strncpy
strlen
strchr
strrchr
index
rindex
strpbrk
strspn
strcspn
strstr
strtok
memccpy
memchr
memmove
memcpy
memcmp
memset
bcopy
bzero
bcmp
- Alloc Kind: how memory was allocated for this block (malloc, calloc,
or realloc)
- Location: source file and line of code where the error occurred (e.g., main.c:59)
- Count: number of blocks involved
How to address buffer overflow errors
Locate the code where the actual overflow occurred. Ensure that the size of the memory region is always accompanied by
the pointer itself, verify all unsafe operations, and confirm that the memory region is large enough to hold the
data being copied into it.
Example
The following code shows an example of a buffer overflow that gets trapped by a string function:
int main(int argc, char ** argv) {
char * ptr = NULL;
ptr = malloc(12);
strcpy(ptr,"Hello World!");
return 0;
}
This next example shows a buffer overflow trapped by a post-heap check in the
free function:
int main(int argc, char ** argv){
char * ptr = NULL;
ptr = malloc(12);
ptr[12]=0;
free(pre);
return 0;
}