.Open CSci202 Laboratory 03 Pointers and Information Security
(previous): Diagrams
.See http://www/dick/cs202/lab02.html
.Open Goals
 To have experimented with a dangerous misuses and arrays.
 To know what buffer overrun attack is.
 To know how to write C++ code that is not exposed to buffer overrun attacks.
.Close

.Open Ideal Procedure
 Download (shift&click) the following awful example.
.See http://www.csci.csusb.edu/dick/cs202/lab02bad.cpp
.Box
 It is designed as an example of a bad log-in program.
 It uses char* arrays to hold character strings with and the old "str*" library to manipulate them.
Each string has an extra '\0' char at the end.
.Net
 #include <cstring> // defines the "str*" functions.
 authenticated= ! strncmp(pwd,passwd,7); // CoMPares upto 7 charcaters of `pwd` and `passwd` and sets
`authenticated` to true if they are equal.
 if(!strcmp(name,"botting")) // compares the characters in `name` with those in "botting" and does not keep count.  It tries pairs of characters until one is different or '\0'. The condition succeeds if the strings are equal.
 strcpy(pwd, "123456"); // Copies "123456" into `pwd` -- this copies 6 characters and a null '\0' even if
`pwd` has room for 2 character:-(
.Close.Net
 It has many faults and we will remove some of these in our laboratories.
 This is how it works when compiled and run:
.List
 First it outputs the addresses of the three character arrays used in the program: "name", "pwd", and "passwd".
 Then it enters a loop until a log-in is authenticated:
.List
 It asks for a name ("botting" for example) using a function "get".
 It looks up the password for the name ("botting" has "123456") using function get_password. 
 It asks for a password.
 It tests to see if the two passwords match.
 If they don't match it outputs a message and repeats from step 1 above.
.Close.List
 If the two passwords match it "Welcomes" the user.
.Close.List
.Close.Box
 Make it compile it into "lab02bad" and test it.  It should work as described.
 Unfortunately it falls to a simple buffer over run attack.
 Run it with name 'botting' and try passwords 'x', 'xx', 'xxxx', 'xxxxxx', and so on.... what happens with each?  Any unexpected logins?

 When you can explain to me what is going on (hint: draw a picture!) you've
earned a 'D' for the lab.

 Please preserve a copy of the compiled code "lab02bad" ready for
.See http://www/dick/cs202/lab06.html
a future lab.

 Your task is to fix the buffer overrun.  Where is the problem?
.As_is 		cin>>input;
in function
.As_is 		void get(char * askfor, int numchars, char * input)
 Here are two ways to attempt to fix the problem that are fairly easy
and one that is challenging (I've tried all three).
.List
 The quick fix: input the user data into a 'string' variable.  Then
use the 'string' functions to extract a substring that fits in the given
7 character buffer.  This relies on the C++ Standard Library 
.See ./string.html
not having
a buffer overrun in its place.   So, I'll offer a max of a B in the
lab for this solution.
 Use a character by character low level hack:  Have a single
.As_is 		char c;
and put the user data into it one character at a time using
.As_is 		cin.get(c);
until the buffer(input) is full or the user taps enter ('\n').
Then add the terminating ('\0') and discard the rest of the data by
using cin.get(c) and not doing anything with c!  Get this working and you've got
an A.
 The challenge of getline:  Here you use
.As_is 		cin.getline(input, numchars+1, '\n');
to fill the buffer.  You then need to use
.As_is 		cin.fail()
to see if there are any characters to discard and
.As_is 		cin.clear()
to clear the `fail` flag.   After clearing the fail flag then you
can use `cin.get(...)` to discard the rest of the line.  Get this working and you've got
an A.
.Close.List
 Pick the strategy closest to your taste, and `may the source be with you`,
as you patch the code.
 Show me when you are happy that it fights off the attackers, or when
we are out of time.
.Close

. Deliverables
Show me an example of a buffer over run resisted.
. Deadline
Before the end of the laboratory period.

.Open If you have time to spare
 Study this web page
.See ./pointers.html
(and look for the stories and jokes).

 Work on your next project.
.Close

. Hints
Do not fix the many other faults with this code.  We will get to
them later.

I will publish my solutions in the next lab.

.Close CSci202 Laboratory 03 Pointers and Information Security
i. Making this class safer:
.See http://www/dick/cs202/lab06.html