Solution

Note

Clicking the button below automatically creates a blood oath with the course. It only works if you actually tried to do the exercise beforehand. Click at your own risk.

Reveal the solution.

Using the debugger you probably noticed that the words array contains the same word multiple times, or complete garbage (depending on where you placed your break point). If you looked even more closely, you may noticed that it contains the same pointer pointing to the same address multiple times.

The root cause is the input function. Let’s see why. Here is a stripped down version of the exercise program, focusing on the problem. Click on the buttons below to simulate this program’s stack line by line.

#include <stdio.h>
#include <stdlib.h>

char* input(void) {
    char word[4] = {0, 0, 0, 0}; // 4 bytes, stack allocated.
    fgets(word, 4, stdin);
    return word; // Return an address to the stack!
}

int main(void) {
    int i = 0; // 4 bytes, stack allocated.
    char* words[2] = {NULL, NULL}; // 8 bytes, stack allocated (assuming 32-bits pointers).
    for (i = 0; i < 2; i++) {
        words[i] = input();
        printf("words[%d] == %s\n", i, words[i]);
    }
    return 0;
}

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 ????????
│ ffffdff4 ????????
│ ffffdff0 ????????
│ ffffdfec ????????
│ ffffdfe8 ????????
│ ffffdfe4 ??
│ ffffdfe3 ??
│ ffffdfe2 ??
│ ffffdfd1 ??

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000000 i
│ ffffdff4 ????????
│ ffffdff0 ????????
│ ffffdfec ????????
│ ffffdfe8 ????????
│ ffffdfe4 ??
│ ffffdfe3 ??
│ ffffdfe2 ??
│ ffffdfd1 ??

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000000 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 00000000 words[0]
│ ffffdfec ????????
│ ffffdfe8 ????????
│ ffffdfe4 ??
│ ffffdfe3 ??
│ ffffdfe2 ??
│ ffffdfd1 ??

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000000 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 00000000 words[0]
│ ffffdfec ????????
│ ffffdfe8 ????????
│ ffffdfe4 ??
│ ffffdfe3 ??
│ ffffdfe2 ??
│ ffffdfd1 ??

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000000 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 00000000 words[0]
│ ffffdfec ???????? <input's return address>
│ ffffdfe8 ???????? <input's stored ebp>
│ ffffdfe4 ??
│ ffffdfe3 ??
│ ffffdfe2 ??
│ ffffdfd1 ??

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000000 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 00000000 words[0]
│ ffffdfec ???????? <input's return address>
│ ffffdfe8 ???????? <input's stored ebp>
│ ffffdfe4 00 '\0'  word[3]
│ ffffdfe3 00 '\0'  word[2]
│ ffffdfe2 00 '\0'  word[1]
│ ffffdfd1 00 '\0'  word[0]

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000000 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 00000000 words[0]
│ ffffdfec ???????? <input's return address>
│ ffffdfe8 ???????? <input's stored ebp>
│ ffffdfe4 00 '\0'  word[3]
│ ffffdfe3 43 'C'   word[2]
│ ffffdfe2 42 'B'   word[1]
│ ffffdfd1 41 'A'   word[0]

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000000 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 00000000 words[0]
│ ffffdfec ???????? <input's return address>
│ ffffdfe8 ???????? <input's stored ebp>
│ ffffdfe4 00 '\0'  word[3]
│ ffffdfe3 43 'C'   word[2]
│ ffffdfe2 42 'B'   word[1]
│ ffffdfd1 41 'A'   word[0]

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000000 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 ffffdfd1 words[0] ────────────────┐
│ ffffdfec ???????? <input's return address> │
│ ffffdfe8 ???????? <input's stored ebp>     │
│ ffffdfe4 00 '\0'  word[3]                  │
│ ffffdfe3 43 'C'   word[2]                  │
│ ffffdfe2 42 'B'   word[1]                  │
│ ffffdfd1 41 'A'   word[0] 🭮────────────────┘

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000000 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 ffffdfd1 words[0] ─────────────────┐
│ ffffdfec ???????? <printf's return address> │
│ ffffdfe8 ???????? <printf's stored ebp>     │
│ ffffdfe4 ??       <printf's variables>      │
│ ffffdfe3 ??       <printf's variables>      │
│ ffffdfe2 ??       <printf's variables>      │
│ ffffdfd1 ??       <printf's variables> 🭮────┘

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000001 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 ffffdfd1 words[0] ─────────────────┐
│ ffffdfec ???????? <printf's return address> │
│ ffffdfe8 ???????? <printf's stored ebp>     │
│ ffffdfe4 ??       <printf's variables>      │
│ ffffdfe3 ??       <printf's variables>      │
│ ffffdfe2 ??       <printf's variables>      │
│ ffffdfd1 ??       <printf's variables> 🭮────┘

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000001 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 ffffdfd1 words[0] ────────────────┐
│ ffffdfec ???????? <input's return address> │
│ ffffdfe8 ???????? <input's stored ebp>     │
│ ffffdfe4 ??       <printf's variables>     │
│ ffffdfe3 ??       <printf's variables>     │
│ ffffdfe2 ??       <printf's variables>     │
│ ffffdfd1 ??       <printf's variables> 🭮───┘

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000001 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 ffffdfd1 words[0] ────────────────┐
│ ffffdfec ???????? <input's return address> │
│ ffffdfe8 ???????? <input's stored ebp>     │
│ ffffdfe4 00 '\0'  word[3]                  │
│ ffffdfe3 00 '\0'  word[2]                  │
│ ffffdfe2 00 '\0'  word[1]                  │
│ ffffdfd1 00 '\0'  word[0] 🭮────────────────┘

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000001 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 ffffdfd1 words[0] ────────────────┐
│ ffffdfec ???????? <input's return address> │
│ ffffdfe8 ???????? <input's stored ebp>     │
│ ffffdfe4 00 '\0'  word[3]                  │
│ ffffdfe3 46 'F'   word[2]                  │
│ ffffdfe2 45 'E'   word[1]                  │
│ ffffdfd1 44 'D'   word[0] 🭮────────────────┘

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000001 i
│ ffffdff4 00000000 words[1]
│ ffffdff0 ffffdfd1 words[0] ────────────────┐
│ ffffdfec ???????? <input's return address> │
│ ffffdfe8 ???????? <input's stored ebp>     │
│ ffffdfe4 00 '\0'  word[3]                  │
│ ffffdfe3 46 'F'   word[2]                  │
│ ffffdfe2 45 'E'   word[1]                  │
│ ffffdfd1 44 'D'   word[0] 🭮────────────────┘

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000001 i
│ ffffdff4 ffffdfd1 words[1] ────────────────┐
│ ffffdff0 ffffdfd1 words[0] ────────────────┤
│ ffffdfec ???????? <input's return address> │
│ ffffdfe8 ???????? <input's stored ebp>     │
│ ffffdfe4 00 '\0'  word[3]                  │
│ ffffdfe3 46 'F'   word[2]                  │
│ ffffdfe2 45 'E'   word[1]                  │
│ ffffdfd1 44 'D'   word[0] 🭮────────────────┘

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000001 i
│ ffffdff4 ffffdfd1 words[1] ─────────────────┐
│ ffffdff0 ffffdfd1 words[0] ─────────────────┤
│ ffffdfec ???????? <printf's return address> │
│ ffffdfe8 ???????? <printf's stored ebp>     │
│ ffffdfe4 ??       <printf's variables>      │
│ ffffdfe3 ??       <printf's variables>      │
│ ffffdfe2 ??       <printf's variables>      │
│ ffffdfd1 ??       <printf's variables> 🭮────┘

🭯 Address  Data
│ ffffe000 ???????? <main's return address>
│ ffffdffc ???????? <main's stored ebp>
│ ffffdff8 00000002 i
│ ffffdff4 ffffdfd1 words[1] ─────────────────┐
│ ffffdff0 ffffdfd1 words[0] ─────────────────┤
│ ffffdfec ???????? <printf's return address> │
│ ffffdfe8 ???????? <printf's stored ebp>     │
│ ffffdfe4 ??       <printf's variables>      │
│ ffffdfe3 ??       <printf's variables>      │
│ ffffdfe2 ??       <printf's variables>      │
│ ffffdfd1 ??       <printf's variables> 🭮────┘

As we can see above, input’s issue is that it returns data from its stack, data which gets overwritten right away when another function is called. So, what do you think the fix would be?

Tip

Click here to get a first hint.

Don’t use the stack, use the heap. How would you allocate memory on the heap?

Click here to get a second hint.

malloc. malloc is the solution. Don’t forget its friend, free.

Keyboard shortcuts

INFOB301: Computer Security

Solution