The first known attack that exploited a buffer overflow was the RTM Internet worm. It attacked the finger daemon, which used the gets function to retrieve the user name sent by the client, and displayed information on this user back to the client. The code looked roughly like this:
void
finger_server(void)
{
char username[128];
gets(username);
print_userinfo(username);
}
This code does nothing harmful if the length of the user name never exceeds 128 bytes (including the terminating NUL byte). However if the length of the provided user name exceeds 127 characters, gets will write past the end of the username buffer because it has no way of knowing the size of the destination buffer.
Most of the time, memory corruption will simply cause a program to crash, which is a nuisance. But under some circumstances, this category of bug also has security implications. For instance, if the code above is executed as part of a network service, an attacker may be able to execute arbitrary commands on the host computer running this server.
In this chapter, we will explore common exploitation methods for vulnerabilities of this type, and remedies against them.