General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-26-2004, 07:17 PM
|
#1
|
Member
Registered: Sep 2004
Distribution: Slackware 10.2
Posts: 276
Rep:
|
diff in buff underrun and overflow?
What is the difference between a buffer underrun and a buffer overflow and how do they occur?
|
|
|
10-26-2004, 08:26 PM
|
#2
|
Member
Registered: Oct 2003
Distribution: FreeBSD
Posts: 325
Rep:
|
They occur because of programming mistakes on the part of the programmer. A buffer overflow is when you provide too much information. A buffer underflow is when you don't provide enough information. In layman's terms...
|
|
|
10-26-2004, 08:33 PM
|
#3
|
Member
Registered: Sep 2004
Distribution: Slackware 10.2
Posts: 276
Original Poster
Rep:
|
hehe, go figure. I have heard that only languages with memory manipulation features allow for these coding vuneralbilities; languages such as C/C++, asm(haha), FORTRAN and other low level languages...is this true? Should a python programmer be worried about buff overflows/underruns?
|
|
|
10-27-2004, 01:59 AM
|
#4
|
Member
Registered: Oct 2003
Distribution: fedora cor 5 x86_64
Posts: 639
Rep:
|
i was just reading about this... this is a basic idea of how a buffer overflow works... (using c)
the data that is put into a buffer is not checked for length.. so, if buffer is of length 15, you can put in data of length 20... there is a return address after the buffer in the stack, that is overwritten to somewhere in memory, usually the beginning of the buffer. what was written in the buffer is some sort of code that spawns a shell. i dont konw anything about python, but i would say that if you can write over memory, by entering a string into a buffer where the string is larger than the buffer, then yes, you should have to wory about that..
|
|
|
10-27-2004, 07:02 AM
|
#5
|
Member
Registered: Sep 2004
Distribution: Slackware 10.2
Posts: 276
Original Poster
Rep:
|
I you have a fixed buffer it must be at least 1 byte correct? How can you enter less information than this to create a buffer underrun?
|
|
|
10-27-2004, 05:53 PM
|
#6
|
Member
Registered: Oct 2003
Distribution: fedora cor 5 x86_64
Posts: 639
Rep:
|
i have no experience with underruns, but here is what i found...
( http://www.securityfocus.com/archive/82/349658)
Quote:
Re: Buffer underflows. I guess if you have a situation where you control a
static buffer in a parent function and then pop too many times in the
child then that could be exploitable, since the saved return address
could be in the data you control. I've never seen this though.
Signedness errors are usually overflows.
You see lots of cases where folks aren't expecting a negative return code
from a function that normally returns a length (e.g. recv()) and mess up
their array indexing, and wind up referencing buff[-1] or something. Null
terminating data obtained from recv() is a classic case of this.
I guess, in a strange kind of way, the va_arg issue that format string
bugs are based on is kind of an underflow, in that the specified quantity
of 'things' to be read is more than there are available, so the 'things'
get read from the next location on the stack.
Come to think of it, I'm not sure how you'd define an underflow. Taking
too much out, rather than putting too much in? Referencing a negative
offset in an array? Interesting stuff though.
|
|
|
|
10-27-2004, 08:29 PM
|
#7
|
Member
Registered: Sep 2004
Distribution: Slackware 10.2
Posts: 276
Original Poster
Rep:
|
thanks. its pretty confusing stuff though...
|
|
|
10-27-2004, 09:55 PM
|
#8
|
Senior Member
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038
Rep:
|
just draw a diagram:
heres the main parts of the stack for buffer overflow :
--------------------------------------------------
| return address | buffer :::::::::::::::::::::::::::::::::::|
--------------------------------------------------
as you can see the data in the buffer fills towards the return address, in a overflow it will overwrite past the buffer, and into the return code, really messing up the program, and it become a exploit for people that know what they are doing (or script kiddies that can push 2 buttons)
http://leepoint.net/notes/comp/syste...o/buffers.html
|
|
|
All times are GMT -5. The time now is 03:24 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|