hi
is was playing around with a couple of attacks.
while looking at smash attacks i was supprised.
simple strcpy attack / no gcc-options (defaults)
- the stack-smash is detected in 'main'
- the stack-smash is NOT detected in 'foo'
a look at the assembler code file shows that
no code is generated in the pro-/epilog of 'foo'
gcc man did not enlighten me :( while googling
did partially:
-fstack-protector : Enable stack protection for functions which contain
character arrays.
-fno-stack-protector : Disable use of stack protection (ProPolice).
-fstack-protector-all : Enable stack protection for all functions.
-fno-stack-protector-all : Disables stack protection for all functions.
this does not yet explain the observed behavior since 'foo' contains a
character array. but it pointed me to fstack-protector-all. using this
option the smash is caught.
why only the smash in the main is detected?
i used the following example:
#include <stdio.h>
char *src = "sehr langer string";
void foo( char * src )
{
char dst[5];
strcpy( dst, src );
}
int main(int argc, char* argv[])
{
#ifdef SMASH_MAIN
char dst[5];
strcpy( dst, src );
#else
foo( src );
#endif
return 0;
}
