Intro
Most vulnerabilities in C are related to buffer overflows and string manipulation. In most cases, this would result in a segmentation fault, but specially crafted malicious input values, adapted to the architecture and environment could yield to arbitrary code execution. You will find below a list of the most common errors and suggested fixes/solutions. (Some tips for C++ are available here.)
gets
The stdio gets() function does not check for buffer length and always results in a vulnerability.
Vulnerable code
#include <stdio.h> int main () { char username[8]; int allow = 0; printf ("Enter your username, please: "); gets(username); // user inputs "malicious" if (grantAccess(username)) { allow = 1; } if (allow != 0) { // has been overwritten by the overflow of the username. privilegedAction(); } return 0; }
Mitigation
Prefer using fgets (and dynamically allocated memory!):
#include <stdio.h> #include <stdlib.h> #define LENGTH 8 int main () { char* username, *nlptr; int allow = 0; username = malloc(LENGTH * sizeof(*username)); if (!username) return EXIT_FAILURE; printf ("Enter your username, please: "); fgets(username,LENGTH, stdin); // fgets stops after LENGTH-1 characters or at a newline character, which ever comes first. // but it considers \n a valid character, so you might want to remove it: nlptr = strchr(username, '\n'); if (nlptr) *nlptr = '\0'; if (grantAccess(username)) { allow = 1; } if (allow != 0) { priviledgedAction(); } free(username); return 0; }