INPUT VALIDATION ISSUES 3 - BUFFER OVERFLOW
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN3ysPFDiLz71tKNKtTbQ-gbYIMOvFyzCKI9CWL78TjPKjXRWYpCIlFmXgXhGx2AJ03-cD6Vx-LMBzN8gZzBhlbR1mLbvF3IFft3RoDMDfuNW6_eUA1t68o-9wqG_cxHU7to9FSgnsuPpq/s1600/screenshot.1.jpg)
- Connecting from Santoku to Nexus 5 with ADB:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYPhk653C14QA8vth06HWnXBRzLa4itaCupLrevAArhsXls8xlPnBjqnB7G9OexQ9Gw-iTW0IdEsuYLhnHoyJgNyT3ta6dIQkIP20bRiI7-iGSeLanLEgnTEoAxE4-6vAsDxFRU1Bfsk6C/s1600/screenshot.2.jpg)
- Launching the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz26LudzftvVhlVECnYZvnq2eZHOOhCD0Ku501fUdU0VM2la60N2SRK0UcblEUUP2u7NKDULpBFOE4H4eZbq09qhg1-k-HFMB1AvTWLoaymRoY21KQJ5kMcplr3hUecqXdIup0YuKXvHjT/s400/screenshot.3.jpg)
- Clicking the tab for challenge 13:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghi-lpJ5W_50tpAQ7zpuS-ZljxVOFn-KcUK6ukEbmR7A5c5qjNhkQIUTkGuv-3V9TobJUypVFyMpgRLAyG5phrfqSWKG5XO_82XHopl1O1yGMvJ_YNAircxI-hoQbLfFTnFcU20vcXQKco/s1600/screenshot.4.jpg)
- The applications prompts the user to enter any input able to crash the app.
- Entering 1111 the application just answers "Access denied!":
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-EODwG3U_xW7CbwdvmUYGAjdgE_VxCbdw33NFS2-5LM0w-nu4qZCHutNrYp4_keeoxGZhK4jAoKKH3-CvMQTItmtM8WeQL8KMYHNjhDKesrwoJfoiAT2nmAlCyB-Pr_qLUeVuovsQmWjP/s1600/screenshot.5.jpg)
- However, entering a long string of characters, let's say a string of 30 "1"s, the app stops after crashing:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4e9wKguZRWyowjWrWbpYLsvNWEVNIaPyVv9TCXq9mwT2wpq6EgWR81g09z5nZSNlGGdrZI8Cy2wDSO-oB1__5DuUdkS5qqcXt7RCAbRm8_gTn_Hahf9FsveYStM1u4xxEYXpt2HMRJwYm/s1600/screenshot.7.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqAetcxgiEKiEA3uaO7oLVHKeqZODpSpeON1X9QrAgo0WlVIMPgqPAu80d6ydo9ay4UTDQnAnUAulzSYchl_bxK6eRIL6-im70E_bzJ_tu2d8eRZdSPbYAs4pdE8Bqzc9ie5AaYWWz2RMg/s1600/screenshot.6.jpg)
- To understand what has happened inside the app, it is very convenient to examine the log generated by the command logcat.
- We see a fatal signal (SIGSEGV = segmentation fault, or segmentation violation), because the operating system considers protected the memory address 0x31313131 (0x31 is the ASCII code for character "1"):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimbVeiQHlwslbhRVYm2tPl-I3a-liPyVyoCW4LJZG2K09pLknEQYHDy4edye4Qq3WorO-DQ8lr1ZoofNYU7QtUUvvekD1fHYJHrHaK4lHOwRhIhTnU3pYdnKsH9Z6ic_pMk3vke-XsNogM/s1600/screenshot.8.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI9wGNqzBE-PaU8u6tPeseODxbUqaw_JmW_tPl1ec26zfrOQ0LZke3D9Y1cNsBe0zj1q1zZMammQNaoRKf3s6Oewxki-NOiR-JsHUPKGRKzXqD7b2CnsK-Vfv2oTfsWgMQ0WGtvxFg-Nqq/s1600/screenshot.10.jpg)
- Looking up into the Java source code of the challenge, InputValidation3Activity.java:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXxdIiXZIdv9fZRZjdL9oFC-acbzgVViNgADYFd9jRb0G8aWCFofXO87tHaZSbBrYB0Y7jnD91ZfKY8pbVn0QQiiahdAld7CnkfQ6eaGcwvHw09cFnonsylHER96ANKmwGb0F6umyYuMIa/s1600/screenshot.16.jpg)
- The application is using JNI (Java Native Interface), what suggests that the method DivaJni is related to a program written in other language:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdbRW7zZPB-qdibqIbSoi9HLNX4yszjea3ZEQjJ4x-5vsLfsfVLLNhbB4iLGU8IU85am8e7qyqAQojNen9yq01eF6jdglIV-G-WrLyRBcVhq8PaPm2fQFO2HeJxOptzBZdtZTxRLWPcluo/s1600/screenshot.18.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0H8nT2UWLLqdZvYMhjJyBYzLaa2SopT-gOCH7pRyNfEfUXv_qg4ROT7CReD220ycTjAFzG4r8DjU7gWZ6NMt9gP1G3cBaPkmxoXO2TuI9IFgSE6IWLtOr16dIdAnmsCWOL_Vn8lyRWNOh/s1600/screenshot.17.jpg)
- Going to the source code of the applications, there is a program divajni.c written in language C:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDLueOiXNlh_k7pBEnQulyE32HpomiNU4oaZfG6R6V-E1lSGVPXvoj8eI8S8THTtoZULEGsbZ0x6WvPNBkVQt-PrQMF3wGpTsU_xFK64I2o-RL3dgUQuKXtxEyuAC9UiBOChqbO-YaNJcc/s1600/screenshot.11.jpg)
- Opening divajni.c, there is a constant (#define CODESIZEMAX 20) defining a maximum value of 20, later used to determine the size of the string code:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGWgRpGVvT7aTtZ4q0VHDSfNLUQw2q5XrJpfCuaetY0ti5gbSwfGNMJNDjtfdNJ_GDU6RQnrU6DBZC4_M_8LinJzVIADpLe_5zPmQPCC7Ddxewx6auuOdKeHqmtl0PF_xq_Z75-c-FLobq/s1600/screenshot.15.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM-unD2u2qpBGP4HFb1u19gPxAsJL8RUhhc_9jlRQIL_xUVOaGv6H_FQzjgzzoV1VNgesk9NGeDM3u4tT0xE80zPhknwM-AxM9wU6mkUMj5dCmhrL2TPH_aNzZb2F56R5GXO6r4FYn2s6n/s400/screenshot.14.jpg)
- Also, the function strcpy copies the string entered by the user over the variable code:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuSKbICYEUzHognoXS8izndGeHhnF5hv_tiGxBjSohojgIGXCcgZNeeKIceqztYxyTZFZIEUCGsjwvieMM3SbYermP4HT2Km1IR4YYoHwqb8tlnMrferDwFLLn7wKoSdt3_loQMNMj972a/s1600/screenshot.13.jpg)
- The problem is that the function strcpy does not check whether the size of the destination's buffer is large enough to hold the source parameter.
- A consequence of function strcpy bad usage is the corruption of memory or buffer overflow, and eventually the crash of the application.