Return to function, difference between strcpy() and memcpy()

Asked May 24 '13 at 08:03

Active May 24 '13 at 10:07

Viewed 605 times

The paxtest program includes some interesting tests, among many others it apparently tests if strcpy and memcpy can overwrite a return pointer on the stack:

(from rettofunc1.c)

void doit( void )
{ 
    char buf[4];

    if (strlen((const char *)overflow) > sizeof(overflow[0])) {
        strcpy( buf, (const char *)overflow );
    } else {
        fprintf( stderr, "paxtest: return address contains a NULL byte.\n" );
        exit(1);
    }
}

and (from rettofunc2.c)

void doit( void )
{     
     char buf[4];

    memcpy( buf, overflow, sizeof( overflow ) );
}

My question is why is my system (standard Slackware 14.0, unpatched) vulnerable to strcpy but not memcpy? Why does it matter which function is used to write to the stack?

It should also be noted that this was compiled for 32-bit, with 64-bit the return address contains a NULL byte and it fails with strcpy too.

edited May 24 '13 at 10:07

Grijesh Chauhan

57,103
20
141
208

asked May 24 '13 at 08:03

csstudent2233

`overflow` should be null terminated and <= length 3 and what is `strlen((const char *)overflow) > sizeof(overflow[0])` means ? – Grijesh Chauhan May 24 '13 at 08:05
overflow is properly terminated in rettofunc1.c. The other statement is just a way to determine if the pointers contain null bytes (which is the case for 64-bit). – csstudent2233 May 24 '13 at 09:01
sorry you still not getting answer because of wrong tags – Grijesh Chauhan May 24 '13 at 09:24

Return to function, difference between strcpy() and memcpy()

0 Answers0