为什么在两个程序中都以相同的方式分配变量?

我有以下代码来展示基于堆栈的缓冲区溢出。

int check_authentication(char *password) {
  int auth_flag = 0;
  char password_buffer[16];

  strcpy(password_buffer, password);
  if(strcmp(password_buffer, "Admin") == 0)
    auth_flag = 1;
  return auth_flag;
}

Here when user inputs any string with length greater than 16 will allow access. To show other case of not overflow the auth_flag I have the following code:

int check_authentication(char *password) {
  char password_buffer[16];
  int auth_flag = 0;

  strcpy(password_buffer, password);
  if(strcmp(password_buffer, "Admin") == 0)
    auth_flag = 1;
  return auth_flag;
}

As the stack works as LIFO, auth_flag should have a lower address than password_buffer in the second example. GDB with break point at strcpy looks as follows:

(gdb) x/16xw password_buffer
0x61fefc:       0x696d6441      0x7659006e      0xc9da078f      0xfffffffe
0x61ff0c:       0x00000001      0x76596cad      0x00401990      0x0061ff38
0x61ff1c:       0x00401497      0x00ae1658      0x00000000      0x0028f000
0x61ff2c:       0x00400080      0x0061ff1c      0x0028f000      0x0061ff94
(gdb) x/x &auth_flag
0x61ff0c:       0x00000001

I expected the password_buffer to start from 0x61ff10, right after auth_flag. Where I am wrong?

我在Windows 10上使用gcc(gcc版本9.2.0(MinGW.org GCC Build-20200227-1)和gdb(GNU gdb(GDB)7.6.1),未对SEHOP或ASLR进行任何修改。

评论