If one avoids methods or classes that have constructors that take buffer parameters will be avoiding buffer overflow attacks? RRS feed

  • Question

  • If one avoids methods or classes that have constructors that take buffer parameters will you be avoiding buffer overflow attacks?

    In Java, I have found a video below that shows how the Oracle developer studio highlights these methods, and vulnerabilities when you're running your application. Has Microsoft addressed these issues in recent releases or once you begin learning a Microsoft technology be prepared to have security nightmares when your application hits the market.

    Initially, I was just looking for a Windows 7 alternative because they said its support will end in Jan 24 2020. That is where I stumbled upon this information. So, am not biased, I just want to know.

    Thursday, November 14, 2019 5:52 PM

All replies

  • Well, since the post is in the C# forum we can presume that it is talking about Managed Code. There are no buffer overflows in managed code; it doesn't matter whether any buffers are passed as constructor parameters or not.

    And if we are talking about unmanaged code, then the answer is also no. A buffer overflow could occur in any buffer defined anywhere. It doesn't matter if it is passed as a parameter to a constructor or to any other method. For example, imagine a method that contains a local array of bytes that is used as a buffer. The method reads a file on disk and loads the content into the buffer. If the method makes the mistake of loading the content of the file without checking whether the buffer is large enough to contain it, then you can do a buffer overflow attack by adding content to the file and waiting until the program reads it. That's it. attack done, and the buffer is just a local variable, never passed to any constructor.

    Thursday, November 14, 2019 8:14 PM
  • Remember that a buffer overflow attack is mostly an issue in user-facing code, like TCP servers and API libraries.  It isn't really that hard to write buffer-safe code.

    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Friday, November 15, 2019 1:03 AM