Unchecked Buffers / Buffer Overrun

Unchecked Buffers / Buffer Overrun

A buffer is a place to store data in the code, while an unchecked one is a buffer that doesn't verify to make sure that the data in the buffer is what is should be and the length that is supposed to be.  

Below is a diagram of a checked buffer that can hold 4 bytes of data.

While this is an unchecked buffer holding 7 bytes:

This doesn't seem too bad.  After al, what harm does it do?  Well, it only comes into play when you think of code in programs being run in a stack.  Let's pretend that a normal stack of code looks like this.

This is made up of code and data in the stack.  The code runs other bits of code from within the stack and reads data from specific areas.  What an unchecked buffer allows is for data in teh stack to be pushed into the data area.  This is known as a buffer overrun.

This buffer overrun has allows data to be pushed into a spot in the code where the application expects there to be data.  This can be the start of all sorts of nasty things happening!  In the innocent world, this would normally result in a crash because the data that had been "pushed" into the code area would not be code and wouldn't process.  An attacker though wouldn't let this happen.  They would only push "code" into this area and that code would allow them to do something different.  The main thing that this kind of attack is used for it to run other code later on, code that is used to compromise a system.

Just in closing - don't have nightmares!  Not every unchecked buffer is a potential vulnerability.  In fact, very few are comparatively few unchecked buffers that can be exploited in this way.

Adrian Kingsley-Hughes
Last updated: March 7th 2005
Print This Page   |   Email me when this page changes    |  Search This Site System Scanner does the work for you!

Contact Us