Memory
x/10gx $rspgdb session
Stack frame · gets() writes left → right · high addresses on the right
$rsp =
0x7fffffffdc30
buffer[64]
64 B · gets() target
saved RBP
8 B
saved return
8 B · popped by ret
buffer[64]
saved RBP
saved return
overflowed
The vulnerable source
stack-four.c#include <stdio.h>
#include <stdlib.h>
void complete_level(void) {
printf("Congratulations, you've finished!\n");
exit(0);
}
void start_level(void) {
char buffer[64];
gets(buffer); /* no bounds check */
}
int main(int argc, char **argv) {
start_level();
return 0;
}Stack vs. heap overflow
| Stack | Heap | |
|---|---|---|
| Buffer lives on | The call stack | The glibc heap |
| Adjacent targets | Saved RBP, saved return | Next chunk's metadata + payload |
| Control-flow hijack | Return address on ret | Function pointer / vtable |
| Modern mitigation | Stack canary | Heap cookies, PAC |
| Class | Linear OOB write (CWE-787) | |