我无法理解buf1中pass和main()发生了什么。我知道在gets(buf1):
main() main()的返回地址。但为什么在gets(buf1)(123456789012345**6**)中的16个字符后,我们得到等于54的传递(这是6的ASCII代码)。我们没有溢出pass变量,为什么我们得到这个pass = 54?
#include <stdio.h>
#include <string.h>
#include <stdbool.h>
#include <stdlib.h>
int CommandInjection(char *varCommand)
{
char cat[] = "cat ";
char *command;
size_t commandLength;
commandLength = strlen(cat) + strlen(varCommand) + 1;
command = (char *) malloc(commandLength);
strncpy(command, cat, commandLength);
strncat(command, varCommand, (commandLength - strlen(cat)) );
system(command); //The function system is executed with the input entered by the user. The input can be dangerous.
return (0);
}
int main(void)
{
char buf1[15];
char varCommand[30];
bool pass = 0;
printf("\nEnter the password: \n(If you enter more than 15 characters you can break the security)\n");
gets(buf1); //Function that does not make bound checking
if(strcmp(buf1, "thepassword"))
{
printf ("\nWrong Password\n PASS=%d", pass);
if(pass==true)
printf ("\nHowever, there was memory corruption and you can enter to other part of the program\n pass=%d", pass);
}
else
{
printf ("\nCorrect Password\n");
pass = true;
}
if(pass == true)
{
// Don't must enter here if the password is wrong
printf ("\nEnter the file name (for example: text.txt; ls -l)\n");
gets(varCommand); //There is no input validation
CommandInjection(varCommand);
}
return 0;
}