So you see that gcc has got this flag that emits extra code to check buffer overflows. NOTE: In Ubuntu 6.10 and later versions this option is enabled by default for C, C++, ObjC, ObjC++, if none of -fno-stack-protector, -nostdlib, nor -ffreestanding are found. If a guard check fails, an error message is printed and the program exits. The guards are initialized when a function is entered and then checked when the function exits. This includes functions that call alloca, and functions with buffers larger than 8 bytes.
This is done by adding a guard variable to functions with vulnerable objects. Here is the description of this flag (from the man page) :Įmit extra code to check for buffer overflows, such as stack smashing attacks. While searching for the reason, I came across a gcc flag ‘-fstack-protector’. This prompted me to explore as to how buffer overflow was detected. In the output you can see that stack smashing was detected. Well, this came in as pleasant surprise that the execution environment was somehow able to detect that buffer overflow could happen in this case. This is what happened when I executed the program: $. Since gets() does not check array bounds so it will try to copy the input in the str buffer and this way buffer overflow will take place. The idea here is to input a string whose length is more than 10 bytes. and then calculated the length of this string and printed back on stdout. In the code above, I have used gets() to accept a string from user. Printf("\n len of string entered is : \n", len) Gets(str) // Used gets() to cause buffer overflow Here is what I was trying to do : #include I came to know about these flags when I was trying to reproduce a buffer overflow on my Ubuntu 12.04 with gcc 4.6.3 version. Earlier it was solely the responsibility of programmers/developers to make sure that there is no possibility of a buffer overflow in their code but with time compilers like gcc have got flags to make sure that buffer overflow problems are not exploited by crackers to damage a system or a program.
It refers to attacks that exploit bugs in code enabling buffer overflows. Stack smashing is a fancy term used for stack buffer overflows.