-2

In my project one of the command-line arguments is loaded into a C99 VLA (variable-length array) as shown in the example code below.

My question is: can this be exploited? If yes, I'd like to be shown how and also how to patch it.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[])
{
    if (argc != 2)
        return EXIT_FAILURE;

    char msg[strlen(argv[1]) + 1];

    strcpy(msg, argv[1]);
    printf("%s\n", msg);
    return EXIT_SUCCESS;
}
Anders
  • 65,582
  • 24
  • 185
  • 221
user102756
  • 1
  • 1
  • 2
    As the question is currently you just dump some code here and ask for exploiting and fixing which makes it off-topic. It might be better received if you show more of your efforts, i.e. explain why you think it can or cannot be exploited and thus mainly ask if you understood the underlying concepts correctly. – Steffen Ullrich Apr 17 '16 at 08:59
  • @SteffenUllrich But if I already knew, then I wouldn't ask. And the question is general (just like the code), so a general answer will help future visitors. – user102756 Apr 17 '16 at 09:11
  • Perhaps http://codereview.stackexchange.com/ is more appropriate? – Neil Smithline Apr 17 '16 at 17:48
  • @NeilSmithline I have already posted there for a code review of the complete program. I came here in the hope that I would get a specific security-related answer to my usage of VLAs, hence the example code.

    I am torn between keeping the current code (which I believe is quite elegant) and using FILENAME_MAX with bounds-checked string functions from C11.

     – user102756 Apr 17 '16 at 19:20

1 Answers1

0

I do not see a stack buffer overflow (or any other vulnerability) in the code you have presented.

Neil Smithline
  • 14,842
  • 4
  • 39
  • 55