The so-called overflow in a broad sense is out of scope , Integer overflow , such as 8 Byte unsigned integers are 0 reach 255 0 - 1 It's underflow 255 + 1 It is overflow On the subject int f(int x) {
int a[10]; a[11] = x; }
This is stack overflow ,x It's written where it shouldn't be written . In a specific compilation mode , this x Will be covered f Original return address . That is, it should have returned to the call location f function , Back to x Where to point . Normally, the program crashes . But if x Was deliberately targeted at a piece of malicious code , This malicious code will be executed .
Heap overflow is relatively complex , Because the implementation of various environment heaps is not exactly the same . However, the program managed heap must have additional data to mark the various information of the heap . If the heap memory is assigned as above, the logical structure of the heap may be destroyed . And then modify the data that could not be accessed .
int f(char *s, int n) { char a[10]; memcpy(a, s, n); }
This is a more realistic example of stack overflow , If the incoming data length is greater than 10 It will cause overflow , And then change f Return address of . As long as malicious code is written to a specific address in advance , The code will be executed .
One case of heap overflow executing malicious code is to destroy the heap structure by too long data , Enables the next application to be able to obtain the location of some specific function pointers , Then modify it .
A common feature of stack overflow and heap overflow is that the third party can completely rely on providing specific data to achieve code level intrusion . If you play games, you may know PSP3000 The crack of , What we use is PSP systems display tiff A file overflow vulnerability .tiff The file contains an intrusion code , load tiff This code will also be loaded when the file is loaded , It's just that at this time, it's impossible for each to be executed . however tiff Some of the data in is very long , And the extra long part contains the location of the intrusion code . When the system reads this part of the data, the intrusion code will be executed .

©2019-2020 Toolsou All rights reserved,
Final review of database : Summary of comprehensive application questions Laplance operator ( Second derivative ) Simple learning of computer composition principle pyqt Button call python program _PyQt: Link button to function in program How much can you go up once you change jobs ? Today, I saw the ceiling of job hopping python in str Function usage _python in str Usage Summary of built-in functions MySQL trigger web The server nginx---linux Installation and deployment C++ Chapter V polymorphism exercises :( It's coming to an end )python Check built-in functions , How to check python Built in function