Stack overflow and the bursting holiday suitcase

bridgwatera | No Comments
| More

The following content is a provided by guest blogger to Computer Weekly Alex Guryeva, independent provider of software testing and quality management services at SQS (Software Quality Systems).

Imagine, returning from a long holiday with a suitcase overflowing with clothes, souvenirs and other essentials. Sometimes, there simply isn't enough room in your suitcase for everything! In programming, like your suitcase, the call stack contains a limited amount of memory (volume of the suitcase), which is determined at the start of program. In essence, before starting on a journey, you select a suitcase that you expect will comfortably hold all your belongings, even after some shopping.

When a program attempts to use more space than is available on the call stack, the stack is said to overflow, typically resulting in a program crash. Stack overflow is like a suitcase bursting open.

The most common causes of stack overflows are infinite recursion and very large stack variables. The examples below illustrate how the overflows are linked to the concept of the stack memory region.

Example A:
Encountering StackOverflowException in C# programming language and .NET Framework

The program text below defines a method that causes an infinite recursion at runtime.

The recursive method calls itself at the end of each invocation. Although an optimising compiler could turn this method into a tail recursive call, the current program does not achieve this. Therefore, each method call frame (activation record) is kept on the stack memory.

After nearly 80,000 invocations, the stack memory space is exhausted and the program terminates. Usually, the StackOverflowExeception is caused by an infinite or uncontrolled recursion.

((( Program that generates StackOverflowException (C#) )))

using System;

class Program
{
     static void Recursive(int value)
     {
          // Write call number and call this method again.
          // ... The stack will overflow eventually.
          Console.WriteLine(value);
          Recursive(++value);    

     }

     static void Main()
     {
          // Begin the infinite recursion.
          Recursive(0);
      }
}

((( Output - final numbers )))
...
79845
79846
79847
79848
79849
79850
79851

Process is terminated due to StackOverflowException.

The message "Process is terminated" is displayed at this point and no recovery is possible.

Example B:

Stack overflows are the most common form of buffer overflows. For example, stack overflows occur when variable size data is copied into fixed length buffers located on the program stack without any bounds checking. In other words, a stack overflow condition is a buffer overflow condition, where the buffer being overwritten is allocated on the stack (a local variable or, rarely, a parameter to a function could be used as a buffer).

When reviewing code for stack overflows, it is advisable to search for calls to insecure library functions like gets(), strcpy(), strcat() etc. which do not validate the length of source strings and blindly copy data into fixed size buffers.

void log_create(int severity, char *inpt) {

char b[1024];

if (severity == 1)
{
strcat(b,"Error occurred on");
strcat(b,":");
strcat(b,inpt);

FILE *fd = fopen ("logfile.log", "a");
fprintf(fd, "%s", b);
fclose(fd);

. . . . . .
}

From above, the line strcat(b,inpt) will result in a stack overflow if input exceeds 1024 bytes. Not only does this demonstrate an insecure usage of strcat, it also shows how important it is to examine the length of strings referenced by a character pointer that are passed as an argument to a function. In this case the length of string referenced by char *inpt.

Summary

The Stack Overflow reduces the effective stack size of a given program and its vulnerabilities often allow an attacker to directly take control of the instruction pointer and, therefore, alter the execution of the program and execute arbitrary code. Apart from manually reviewing code for stack overflows, static code analysis tools can be very helpful in identifying this kind of issue.

References:

1. Sam Allen: 'C# Stack Overflow (StackOverflowException)' http://dotnetperls.com/stack-overflow

2. Aleph One: "Smashing the Stack for Fun and Profit" - http://www.phrack.org/issues.html?issue=49&id=14#article

3. OWASP 'Testing for Stack Overflow' http://www.owasp.org/index.php/Testing_for_Stack_Overflow


Leave a comment

Subscribe to blog feed

About this Entry

This page contains a single entry by Adrian Bridgwater published on March 1, 2011 9:40 AM.

Intel Thunderbolt Technology, "developers will have a blast," apparently was the previous entry in this blog.

Sybase 2011 enterprise mobility guide gets on the road is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.