0

What is the maximum value sprintf can put into stack for this bufferoverflow case as i noticed for normal printf(string) will allow more values

When passing a value > ("%1500d") error will happen , passing a value > than previous value ("%50000d") another error happen

So what is the exact relation between it and stack?

When passing more empty argv argument when running the file it allow more padding values

Why is that?

compile & running

gcc code.c -o code 
./code "%1500d"

void vuln(char *string)
{
char buffer[64];
sprintf(buffer, string);
}
int main(int argc, char **argv)
{
  vuln(argv[1]);
}

gdb

"%1500d" error

=> 0x7ffff7a9c57b <__mempcpy_sse2+331>: rep movs QWORD PTR es:[rdi],QWORD PTR ds:[rsi]
Stopped reason: SIGSEGV
__mempcpy_sse2 () at ../sysdeps/x86_64/memcpy.S:272
272 ../sysdeps/x86_64/memcpy.S: No such file or directory.

"%50000d" error

=> 0x7ffff7a8868b <__GI__IO_default_xsputn+75>: mov    BYTE PTR [rdi+rax*1],dl
Stopped reason: SIGSEGV
0x00007ffff7a8868b in __GI__IO_default_xsputn (f=0x7fffffffe1a0,
    data=<optimized out>, n=0x10) at genops.c:450
450 genops.c: No such file or directory
Shady Shahin
  • 91
  • 7
  • You should add some details how your parts interact. Your code does not contain any occurance of `"%1500d"` or similar. Which code is that related to? – Gerhardh Jul 27 '20 at 10:36
  • @Gerhardh compile the program through gcc and passing through linux terminal : `gcc code.c -o code` then `./code "%1500d"` – Shady Shahin Jul 27 '20 at 10:40
  • can any one open the question again as its not duplicate please? – Shady Shahin Jul 27 '20 at 10:45
  • Ok, those strings are the literal arguments for the program. You might add that to the question. – Gerhardh Jul 27 '20 at 10:46
  • I can't open. I could only vote to reopen. But, in fact, it is a duplicate. If you read and understand the linked dupe, you should see that your question does not make much sense. There is no defined limit for undefined behaviour. It can crash with a certain length or not. – Gerhardh Jul 27 '20 at 10:48
  • @Gerhardh so the crash happen because write at random stack addresss that the program may use later so unexpected behaviour happens. or because it exceed the stack limit ? . also i really not understand why passing more `argv` argument increase the stack how that happen? – Shady Shahin Jul 27 '20 at 11:05
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/218677/discussion-between-shady-shahin-and-gerhardh). – Shady Shahin Jul 27 '20 at 11:08

0 Answers0