SDL Digest, Vol 11, Issue 32

In reply to:---------------------------------------------------------------------------------------
Anytime you write to a memory buffer, there is the potential for a buffer
overflow (unless the function doing the writing checks the buffer size, which
sprintf doesn’t). However, converting an integer or a double into ascii with
sprintf and a buffer size of 256 is not going to overflow.

Overflowing a buffer will scribble data over memory other than the buffer. In
this case it might be the stack, which could corrupt your return address and
then execute random code when returning from the function. This is a popular
exploit among crackers; more effective on Windows than other OSs (simply
because Windows allows ordinary users priviledges that other OSs don’t).

Stack overflows are possible across most OS’s and I wouldn’t say more
effective on Windows because it allows users more privileges, that
doesnt really apply to exploitation.

Note that the heap is just as vulnerable when using a weak
implementation be it PHK malloc on BSD or an ptmalloc2 w/out pathces
in linux, or exploiting MS’s RtlHeap without patches (as in XP Service
pack #2).

Always check size on user input. Be careful with off-by-ones. Know
which functions append a NULL and which do not.