Use a longer string in the CRC4 buffer overflow example.

On some newer compiler versions, compiler optimizations and loop unrolling
change the memory layout so that 64 bytes are not enough to overwrite the
return address reliably.

PiperOrigin-RevId: 240343358
Change-Id: Ifb1a1dc1cb482793b7387887f0fd68a237879227
This commit is contained in:
Christian Blichmann 2019-03-26 07:27:53 -07:00 committed by Copybara-Service
parent 137426c9dd
commit 33206c5d3f
2 changed files with 5 additions and 6 deletions

View File

@ -17,6 +17,7 @@
#include <syscall.h> #include <syscall.h>
#include <cstdint>
#include <cstring> #include <cstring>
#include <glog/logging.h> #include <glog/logging.h>
@ -66,7 +67,8 @@ int main(int argc, char** argv) {
// Make sure we don't inline the function. See the comment in // Make sure we don't inline the function. See the comment in
// ComputeCRC4Impl() for more details. // ComputeCRC4Impl() for more details.
std::function<uint32_t(const uint8_t*, uint64_t)> ComputeCRC4 = ComputeCRC4Impl; std::function<uint32_t(const uint8_t*, uint64_t)> ComputeCRC4 =
ComputeCRC4Impl;
uint32_t crc4 = ComputeCRC4(buffer.data(), buffer.size()); uint32_t crc4 = ComputeCRC4(buffer.data(), buffer.size());

View File

@ -61,11 +61,8 @@ TEST_F(CRC4Test, TestExploitAttempt) {
std::string output; std::string output;
SAPI_ASSERT_OK_AND_ASSIGN( SAPI_ASSERT_OK_AND_ASSIGN(
int exit_code, int exit_code, util::Communicate({path_, "-input", std::string(128, 'A')},
util::Communicate( env_, &output));
{path_, "-input",
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"},
env_, &output));
LOG(INFO) << "Output: " << output; LOG(INFO) << "Output: " << output;
EXPECT_THAT(exit_code, Eq(3)); EXPECT_THAT(exit_code, Eq(3));