Graphics Programs Reference
In-Depth Information
0x342
Overflowing Function Pointers
If you have played with the game_of_chance.c program enough, you will realize
that, similar to at a casino, most of the games are statistically weighted in
favor of the house. This makes winning credits difficult, despite how lucky
you might be. Perhaps there's a way to even the odds a bit. This program uses
a function pointer to remember the last game played. This pointer is stored
in the
user
structure, which is declared as a global variable. This means all the
memory for the user structure is allocated in the bss segment.
From game_of_chance.c
// Custom user struct to store information about users
struct user {
int uid;
int credits;
int highscore;
char name[100];
int (*current_game) ();
};
...
// Global variables
s
truct user player; // Player struct
The name buffer in the user structure is a likely place for an overflow.
This buffer is set by the
input_name()
function, shown below:
// This function is used to input the player name, since
// scanf("%s", &whatever) will stop input at the first space.
void input_name() {
char *name_ptr, input_char='\n';
while(input_char == '\n') // Flush any leftover
scanf("%c", &input_char); // newline chars.
name_ptr = (char *) &(player.name); // name_ptr = player name's address
while(input_char != '\n') { // Loop until newline.
*name_ptr = input_char; // Put the input char into name field.
scanf("%c", &input_char); // Get the next char.
name_ptr++; // Increment the name pointer.
}
*name_ptr = 0; // Terminate the string.
}
This function only stops inputting at a newline character. There is nothing
to limit it to the length of the destination name buffer, meaning an overflow
is possible. In order to take advantage of the overflow, we need to make the
program call the function pointer after it is overwritten. This happens in the
play_the_game()
function, which is called when any game is selected from the
menu. The following code snippet is part of the menu selection code, used
for picking and playing a game.
