Please explain the below function. Specifically, I am unsure about the use of '*' and also the '&n'

I know this is a noob question...

char * is used in that code to declare pointers to char and to cast to a pointer to char.

The &n means the address of n.

A pointer is a variable that holds the address of something. A char* variable is supposed to hold the address of a char.

The C language does not distinguish between a pointer to a lone char and a pointer to a char that is the first element of an array of char. It also makes no distinction based on the size of the array. The programmer is supposed to get all that right without the compiler checking it.

Many char arrays in C are used to contain null terminated strings. That is also up to the programmer. The language does not assume that a char array will contain a null terminated string.

void function(char *ptr1, char *ptr2)
The two parameters of this function are each pointers to char.
int n; n is an uninitialized local int
char str[6]; str is an uninitialized local char array.
char *ptr; ptr is a local pointer to char
ptr = (char *) &n; ptr is set to the address of n reinterpreted to be a pointer to char.
strcpy(ptr, ptr1); ptr1 is treated as a pointer to the first character of a null terminated string. The compiler won't check that it is really a pointer to a null terminated string. If it isn't, this operation could seg fault trying to read that string or could interpret unrelated data as a potentially very long string.
Then that string is copied into the memory occupied by n, which is probably 4 bytes of memory. So if the string (including terminating null) is longer than 4 bytes, whatever happens to follow n in memory will get clobbered.
strcpy(str, ptr2); Same issues as above, except that str[] is 6 bytes long. BTW, that use of str without the [] is evaluated as the address of the first element of str[] so
str == &(str[0]) this is true of most (but not all) uses of an array name without the [] in C.

1 members found this post helpful.

Thanks! Now I have to figure out how to overflow the buffers of this program.

I think the intent of the lesson might have been: where to be careful when coding to avoid accidentally overflowing a buffer.

But if that wasn't all obvious from the start, I guess first learning how to intentionally overflow a buffer can be a constructive step toward learning how to avoid doing it accidentally.

BTW, I think you mean "overflow the buffers of this function" rather than "program". That implies you are in control of the rest of the program and need only pass long enough strings to the function to overflow.

If you did mean "program", that ought to imply the rest of the program is unchangeable and you are only in control of the input. So work backwards from the existing call to that function. Where do the two strings passed to the function come from? How can the input to the program cause one of those strings to be too long?

Sorry, I did mean Function...force of habit.

This problem is for an Intrusion Detection class in grad school. I should be able to figure out what will and won't overflow the buffers here, but dont know enough C to understand the logic of this function in order to do so.

I appreciate the explanation.

For any understanding of the Intrusion issues in this example, you need a good understanding of asm as well as C:

You should compile the C to generate asm source code instead of binary and examine the asm source code to see where in the stack frame the local variables are allocated relative to the return address (or maybe relative to saved registers).

The basic buffer overflow exploit overwrites a local variable by a long enough string and with the specific value that replaces the return address with some address within the program whose execution at that moment could start the chain toward achieving the results desired by the hacker.

That involves a lot more understanding of the binary program you are attacking than you get locally from understanding the exploitable buffer. If you were learning these issues at that level, you shouldn't have needed to ask ordinary C questions.

But to get a general idea of the concepts involved, it may be appropriate to just see how an attacker could change the function's return address, rather than follow through to understand how changing the return address builds toward an effective attack.

So I still advise looking at the asm code generated by the compiler to see how it (that specific compiler at that optimization level) lays out the stack frame. Then figure out what length input string would overwrite the return address with some controlled value within the program image (so the exploit could, in theory, start an attack rather than just seg fault).

I hear you - I'm a little over my head with this class, but I've been making due with the help of you guys here in LQ (so I appreciate it). I knew to check out the asm code to determine the location of esp, and the general principals of overflowing a buffer, but thanks. I've already written a couple of other asm programs that do some arbitrary exploits (see my other posts).

Unfortunately, this class is required for my degree, so I gotta stick with it.