Slide Set 3. for ENCM 339 Fall Steve Norman, PhD, PEng. Electrical & Computer Engineering Schulich School of Engineering University of Calgary

Slide Set 3 for ENCM 339 Fall 2016 Steve Norman, PhD, PEng Electrical & Computer Engineering Schulich School of Engineering University of Calgary September 2016

ENCM 339 Fall 2016 Slide Set 3 slide 2/46 Contents More about pointers as function parameters Arrays in C Brief notes about the Standard C Library Character strings in C The strcpy function and related C concepts Function parameters declared to be arrays are really pointers! Buffer overflows

ENCM 339 Fall 2016 Slide Set 3 slide 3/46 Outline of Slide Set 3 More about pointers as function parameters Arrays in C Brief notes about the Standard C Library Character strings in C The strcpy function and related C concepts Function parameters declared to be arrays are really pointers! Buffer overflows

ENCM 339 Fall 2016 Slide Set 3 slide 4/46 Comment style for tutorial and lecture slides (This is repeated from a tutorial slide.) int foo(int a) { int b; b = a * 2; } // point one return b + 3; int foo(int a) { int b; b = a * 2; // (1) return b + 3; } // (1) marks the moment in time just after the assignment to b has finished and just before the return statement starts.

ENCM 339 Fall 2016 Slide Set 3 slide 5/46 More about pointers as function parameters The code on the next slide is a program from Slide Set 2, presented so that we can briefly review it. Let s make some brief notes about how the program works.

#include <stdio.h> void foot_and_inch(int inch_only, int *feet, int *extra_inch); int main(void) { int total_in = 75, ft, in; foot_and_inch(total_in, &ft, &in); printf("%d inches is equal to %d feet, %d inches.\n", total_in, ft, in); return 0; } void foot_and_inch(int inch_only, int *feet, int *extra_inch) { // (1) *feet = inch_only / 12; *extra_inch = inch_only % 12; // (2) }

ENCM 339 Fall 2016 Slide Set 3 slide 7/46 A common mistake with pointers Let s replace the definition of main with this defective code: int main(void) { int total_in = 75; int *ft; int *in; foot_and_inch(total_in, ft, in); printf("%d inches is equal to %d feet, %d inches.\n", total_in, *ft, *in); return 0; } Why is the code defective? What will happen if we try to compile and run the modified program?

ENCM 339 Fall 2016 Slide Set 3 slide 8/46 A quick remark about the scanf function When scanf was introduced in a lecture, I told you that you had to put &, the address-of operator, in front of the names of the variables that are to receive input. At that time, I couldn t give a very precise reason for doing so. But now you know about addresses and pointer expressions. Suppose k is a variable of type int. Why is it that the following code can t possibly work? scanf("%d", k); And what is so important about & in the following code? scanf("%d", &k);

ENCM 339 Fall 2016 Slide Set 3 slide 9/46 Outline of Slide Set 3 More about pointers as function parameters Arrays in C Brief notes about the Standard C Library Character strings in C The strcpy function and related C concepts Function parameters declared to be arrays are really pointers! Buffer overflows

ENCM 339 Fall 2016 Slide Set 3 slide 10/46 Arrays in C In many programming languages, an array is a collection of data objects called elements, such that all the elements have the same type; an individual element within an array is selected using an integer expression called an index. In C, arrays are very closely connected to pointers. That s not true in most other programming languages!

ENCM 339 Fall 2016 Slide Set 3 slide 11/46 Syntax for declaring an array variable in C For an array element type such as int, double, or char, here is how to declare a C array variable: type identifier [ integer expression ] ; The integer expression specifies the number of elements in the array. In earlier versions of C, it had to be a constant, but as of the 1999 C standard, it can involve variables and function parameters. In examples in ENCM 339 lectures, the number of elements will be a simple constant.

ENCM 339 Fall 2016 Slide Set 3 slide 12/46 An example array variable This declares x to be an array of 5 ints: int x[5]; Let s make a sketch of x, and make some remarks. (Among the remarks: Indexing starts at zero.)

ENCM 339 Fall 2016 Slide Set 3 slide 13/46 When programming in C, don t try to use Processing syntax! This is how to create an array of 5 int elements in Processing: int[ ] a = new int[5]; That won t work at all in C! (However, we ll see later in the course that syntax such as new int[5] does have a meaning in C++.)

ENCM 339 Fall 2016 Slide Set 3 slide 14/46 Index range checking Consider this Processing code fragment: int[ ] a = new int[5]; int i; // Valid indexes are 0, 1, 2, 3, 4, but not 5. for (i = 0; i <= 5; i++) a[i] = 10 * (i + 1); An attempt to run the code will result in program termination with this error message: ArrayIndexOutOfBoundsException: 5 Let s make some notes about what happens before the error occurs, and about what causes the error.

ENCM 339 Fall 2016 Slide Set 3 slide 15/46 What happens with a C array? int a[5]; int i; // Valid indexes are 0, 1, 2, 3, 4, but not 5. for (i = 0; i <= 5; i++) a[i] = 10 * (i + 1); Let s make some notes about what might happen here. The fact that things might work even though they shouldn t work is not a good thing about C!

ENCM 339 Fall 2016 Slide Set 3 slide 16/46 C arrays and C++ vectors C programmers use array types where most current C++ programmers would use vector types. C++ vector types are generally safer than C array types, but do not exist in plain C. Here are some weaknesses of C array types relative to C++ vector types: Once a C array has been created, it cannot be resized there is no way to grow or shrink an array. With C arrays, it is usually impossible to ask for index range checking. We ll learn about C++ vectors later in ENCM 339.

ENCM 339 Fall 2016 Slide Set 3 slide 17/46 Outline of Slide Set 3 More about pointers as function parameters Arrays in C Brief notes about the Standard C Library Character strings in C The strcpy function and related C concepts Function parameters declared to be arrays are really pointers! Buffer overflows

ENCM 339 Fall 2016 Slide Set 3 slide 18/46 Brief notes about the Standard C Library In programming, a library is a collection of functions and types that is installed as part of a programming system. Programmers can use these function and types without having to define them. Some of the functions in the Processing core library are ellipse and line, used to draw things, and print and println, used to write text to the Processing Console. The Standard C Library is the set of library functions, types, and related facilities that is available on every standard-compliant implementation of C. Most C implementations also offer lots of other library features beyond what is mandated by C standards.

ENCM 339 Fall 2016 Slide Set 3 slide 19/46 Standard C Library Header Files Library facilities can be roughly split into categories associated with library header files files that contain lists of function prototypes, type declarations, and other related information. Header files are sometimes just called headers. Chapters 16 and 17 of C in a Nutshell (second edition), our course C textbook, list all the Standard C Library headers and summarize their contents. The next few slides say a few things about some of the most-often-used library headers.

ENCM 339 Fall 2016 Slide Set 3 slide 20/46 <stdio.h> std is short for standard, and io is short for input/output. printf and scanf are just two of the many input/output functions associated with <stdio.h>. Later in the course, we ll learn about types and functions that can be used to do input and output with files, instead of with a terminal window.

ENCM 339 Fall 2016 Slide Set 3 slide 21/46 <stdlib.h> std is short for standard, and lib is short for library. The name is confusing. <stdlib.h> provides information only about part of the Standard C Library, not the whole Standard C Library. Some of the many associated functions are exit, for forcing program termination; malloc and free, for managing dynamically allocated memory, as we ll see later in the course.

ENCM 339 Fall 2016 Slide Set 3 slide 22/46 <math.h> Here are a few of the many math functions... sqrt sin cos asin acos log log10 Each of the above has one parameter, of type double, and a return type of double. sqrt is short for square root. All functions related to trigonometry assume that angles are given in radians. This function is used to find the best approximation to x raised to the power y... double pow(double x, double y); For example, what would the value of pow(0.5, 3.0) be?

ENCM 339 Fall 2016 Slide Set 3 slide 23/46 <string.h> <string.h> are used to manipulate and answer questions about character strings, as we ll soon see.

ENCM 339 Fall 2016 Slide Set 3 slide 24/46 Outline of Slide Set 3 More about pointers as function parameters Arrays in C Brief notes about the Standard C Library Character strings in C The strcpy function and related C concepts Function parameters declared to be arrays are really pointers! Buffer overflows

ENCM 339 Fall 2016 Slide Set 3 slide 25/46 Character strings in C A string is a sequence of character codes stored in an array of char elements; the sequence is terminated by a null character. Let s demonstrate this, using a somewhat awkward way to set up a string. Important: The character constant for the null character is \0, and the value of the null character in ASCII is zero. Let s describe the algorithm used by printf when it prints a string in a response to a %s specification. Let s make diagrams for points (1) and (2) in our example program, assuming that the character set in use is ASCII.

ENCM 339 Fall 2016 Slide Set 3 slide 26/46 Notes on null termination 1. \0 is backslash zero, not backslash oh. 2. Terminating a string with \0 is mandatory. printf and most other string-handling functions have no other way of knowing where a string ends. 3. A string N characters in length needs at least N + 1 array elements of type char for storage. It s okay for arrays of char containing strings to be larger than necessary. 4. Null termination is used only with character strings, not with arrays that have elements of type int, double, etc.

ENCM 339 Fall 2016 Slide Set 3 slide 27/46 Outline of Slide Set 3 More about pointers as function parameters Arrays in C Brief notes about the Standard C Library Character strings in C The strcpy function and related C concepts Function parameters declared to be arrays are really pointers! Buffer overflows

ENCM 339 Fall 2016 Slide Set 3 slide 28/46 The strcpy function and related C concepts Usually programmers don t set up C strings by assigning one char at a time. A more common method is use of the strcpy ( string copy ) function in the standard library. Let s look at the example on the next slide.

ENCM 339 Fall 2016 Slide Set 3 slide 29/46 #include <stdio.h> #include <string.h> // library header file // for string functions int main(void) { char s[6]; strcpy(s, "foo"); // (1) printf("begin%send\n", s); return 0; } What will be in the array s at point (1)? What will be the output of the program?

ENCM 339 Fall 2016 Slide Set 3 slide 30/46 The function prototype for strcpy char * strcpy(char *dest, const char *src); dest has type pointer-to-char. src has type pointer-to-const-char. In the call to strcpy in main on the previous slide, the argument types match the types in the function prototype. For C beginners, these type matches are not at all obvious. Let s make a short list of things that need to be explained.

ENCM 339 Fall 2016 Slide Set 3 slide 31/46 An array name often generates a pointer In C and C++, in most expressions, the name of an array gets treated as the address of element 0 of the array. For example, strcpy(s, "foo"); really means strcpy(&s[0], "foo"); That is not obvious. If you are new to C, you can t know that by reading the code you need to have it explained to you! That s really means &s[0] in this context reflects an important design decision made when C was first created.

ENCM 339 Fall 2016 Slide Set 3 slide 32/46 String constants usually generate pointers This was another important C language design decision. A string constant occupies an array of chars located in a region of program memory we will call static storage. In this example... strcpy(s, "foo");... the second argument is actually the address of the f character at the beginning of an array in static storage. (There s an exception to this rule: String constants used as initializers for arrays of chars do not generate addresses. We ll worry about that later.)

ENCM 339 Fall 2016 Slide Set 3 slide 33/46 A definition for strcpy To illustrate concepts introduced the last several slides, let s pretend that strcpy is not provided in the C library, and that we have to supply our own definition. To understand where the arrays are and which addresses go into the parameters of strcpy, let s make a diagram for point (1) on the next slide. Then let s complete the definition of strcpy, and make some notes about how it will work.

ENCM 339 Fall 2016 Slide Set 3 slide 34/46 char *strcpy(char *dest, const char *src) { int i; // (1) } // Need some code here! int main(void) { char s[6]; strcpy(s, "hello"); return 0; }

ENCM 339 Fall 2016 Slide Set 3 slide 35/46 Use of square brackets and indexes with pointers The definition of strcpy involved expressions such as src[i] and dest[i]. Why do these expressions make sense? What do they really mean? Let s make some notes.

ENCM 339 Fall 2016 Slide Set 3 slide 36/46 The return value of strcpy Understanding how strcpy uses its parameters is really, really important! In contrast, the return value from strcpy is a minor detail. strcpy returns the address of the beginning of the destination array. That allows nested calls, such as in this fragment: char a[5], b[5]; strcpy(b, strcpy(a, "ENCM")); The string constant is copied into the array a, and then the string is copied from array a into array b. In the vast majority of calls to strcpy, the return value is not used.

ENCM 339 Fall 2016 Slide Set 3 slide 37/46 Use of const with pointers Consider this example: void f(const int *p, int n) { code } Here, f is not allowed to change the value of any int it might access through the pointer p. Let s add some detail to this explanation.

ENCM 339 Fall 2016 Slide Set 3 slide 38/46 Outline of Slide Set 3 More about pointers as function parameters Arrays in C Brief notes about the Standard C Library Character strings in C The strcpy function and related C concepts Function parameters declared to be arrays are really pointers! Buffer overflows

ENCM 339 Fall 2016 Slide Set 3 slide 39/46 Function parameters declared to be arrays are really pointers! This is yet another non-obvious aspect of the array/pointer relationship. Let s look at the code on the next slide, and make some diagrams and some remarks.

double average(const double y[ ], int n); int main(void) { double x[ ] = { 1.1, 1.2, 1.6 }, avg; avg = average(x, 3); return 0; } double average(const double y[ ], int n) { double sum = 0.0; int i; for (i = 0; i < n; i++) sum += y[i]; // (1) (After the for loop is done.) } return sum / n;

ENCM 339 Fall 2016 Slide Set 3 slide 41/46 Outline of Slide Set 3 More about pointers as function parameters Arrays in C Brief notes about the Standard C Library Character strings in C The strcpy function and related C concepts Function parameters declared to be arrays are really pointers! Buffer overflows

ENCM 339 Fall 2016 Slide Set 3 slide 42/46 Buffer overflows Here is a definition for strcpy, seen previously... char * strcpy(char *dest, const char *src) { int i; for (i = 0; src[i]!= \0 ; i++) dest[i] = src[i]; dest[i] = \0 ; return dest; } What will happen if the destination array is not big enough to hold the source string?

ENCM 339 Fall 2016 Slide Set 3 slide 43/46 Buffer is an informal term often used to mean array of chars used to hold some program input. The C library function gets ( get string ) which you should NEVER USE is completely defenseless against buffer overflows... #include <stdio.h> int main(void) { char name[8]; printf("hi, what is your name?\n"); gets(name); printf("nice to meet you, %s.\n", name); return 0; } Let s make some notes about what this program might do.

ENCM 339 Fall 2016 Slide Set 3 slide 44/46 How bad are buffer overflows? In a small program that only you and perhaps a few trusted co-workers use... Buffer overflows can cause mysterious program crashes or wrong program output. In a program that lets untrustworthy users provide input, such as software running on a Web server... BUFFER OVERFLOWS CAN BE EXTREMELY BAD. Sometimes an attacker can carefully craft a too-long input string that lets the attacker break in and take over a computer! (How this works is not an ENCM 339 topic, but there are lots of articles about it on the Web.)

ENCM 339 Fall 2016 Slide Set 3 slide 45/46 Avoiding buffer overflows in small C programs Write code that can detect potential buffer overflows before they happen. To do this, you must carefully read documentation of library functions, and carefully think about string-handling functions you write yourself. Example DOs and DON Ts: Don t use strcpy (or the related strcat function) unless you are certain about all of the array sizes and possible string lengths in a program. Do use safer functions for copying strings. Don t use gets to read a line of input text. Do use fgets, which is safer. Do make a plan for what a program should do if an array is too small for an input string shutting down with an error message is often a good choice.

ENCM 339 Fall 2016 Slide Set 3 slide 46/46 Avoiding buffer overflows in production code If software you re developing must defend itself against attackers, your development team needs experts on computer security. That level of expertise is well beyond what can be taught in a course like ENCM 339.