C++ Char Code[4]; Buffer Overflow Problem

[DaveLembke]

Ran into a problem with writing a C++ program where if you enter more than 4 characters for Char Code[4]; it crashes with a Report this Error to Microsoft type error message if 5 or more characters are entered. The sloppy fix I have which really doesnt fix this Buffer Overflow problem is to make the Char Code[100]; so that it can take up to 100 characters before overflowing and crashing. Then before the data is used I perform a string length check on the data input to make sure it is 4 characters in length else return back to input to Char Code[100]; This doesnt fix if someone entered 101 characters or more in which it would crash again so this is a sloppy fix that I dont like and so I am asking about code suggestions to harden the code to avoid this over flow problem with Char Code[100]; variable.

[BC_Programmer]

basically- the solution would be to not get input directly into a char string, but rather handle it through a C++ string, and then you can test to make sure the char array is long enough to hold it:

Code: [Select]

#include <iostream>
#include <string>
using namespace std;
int _tmain(int argc, _TCHAR* argv[])
{
const int maxlength=15;
char * cstr;
string str;


getline(cin,str);
if(str.length() > maxlength)
{
cout << "error, input string exceeds specified maximum of " << maxlength << ". length is " << str.length() << endl;


}
else
{
cstr = new char [maxlength];
memset(cstr,0,maxlength);
strcpy (cstr, str.c_str());

cout << "successful:" << cstr << endl;


}
int pausevalue;
cin >> pausevalue;
return 0;
}


here we simply read a line from cin into a string. then, if that string is shorter then the given maxlength constant, we reject it and give an error message, otherwise, we use strcpy to copy from the char array that c_str() returns and copy it to the target char array.

[ghostdog74]

@Dave,

Just curious, are you doing a project/homework/for leisure or is it for work?

[DaveLembke]

Thanks for the fix to that. I have 5 books on C++ and none of them show you the proper method to avoid overflows. You would think they would have content on how to avoid overflows etc and hardening of code, but none of these books have it.

And to answer ghost's question, this project is for myself actually. I took Intro to C++, Intermediate C++, and Advanced C++ at a community college and finished like 7 years ago. I am brushing up on my C++ skills by writing small programs to do different things, and I realized that I never solved the overflow issue and the instructor never gave me pointers on how to avoid it. Doing a Google search I didnt find any examples other than to avoid a get() command which I found at a IBM website.

Not to be secretive about project, its just a program that pretty much compiles a batch program based on Q/A from user input, then uses a system(batch1.bat); command to execute the batch program that was created. Controlling the information written to the batch1.bat file is essential to proper batch execution, and by avoiding the overflow the proper way is proper programming.

I have been interested in interaction between C++ and the system, and have been using the system(); command for many programs that are NON Malicious, but create perl, batch etc on the fly, and its neat to have different programs in different languages be able to communicate through data files etc that they both can read and write to. If there are any good books out there on system controls from C++ and cross language communications please list them and i'll check them out.

And the last reason for this is to strengthen my skills in case i need to leave my job as an electronics tech and go back to IT in which programming is important as well as being able to make programs be able to communicate together to share data.

Thanks

[ghostdog74]

My personal opinion. I am not saying C++ has no "uses" in this age, since they are still relevant if you want to program games that take advantage of speed/graphics (low level) or writing some kind of drivers to interface with systems etc. But in this information age where internet is dominant, languages like Perl/Python/Ruby/etc or PHP are the languages to learn and get familiar with if you want to strengthen your skills. Yes, these are interpreted languages but they can be quite as fast in execution. Also, if you really want fast, you can extend using C, which you are familiar with. You can increase your productivity through faster code development time, since you don't have to compile your program like C/C++ does and you don't have to meddle with pointers. If you search the web, there are many articles talking about why C++ (and C) should be avoided as well. Anyway, just my thoughts.

[BC_Programmer]

If you search the web, there are many articles talking about why C++ (and C) should be avoided as well. Anyway, just my thoughts.

I don't doubt there are an equal number of articles with the opposite opinion.