United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017 1. Do a page check: you should have 8 pages including this cover sheet. 2. You have 50 minutes to complete this exam. 3. A calculator may be used for this exam. 4. This is a closed book and closed notes exam. You may use one single-sided page of notes hand-written by you. 5. Turn in your single-sided hand-written page of notes with your exam. 6. This exam may be given as a makeup exam to several midshipmen at a later time. No communication is permitted concerning this exam with anyone who has not yet taken the exam. Name: Instructor: Problem Topic Possible Points 1 Numbers, Memory and Arrays 25 2 C programs and Assembly Language 25 3 Pointers, The Heap and Buffer Overflow 22 4 Functions and the Stack 28 TOTAL 100 Page 1 of 8
Question 1. (25 pts) Consider part of a C program named grade_calculator.c shown below: 1 #include<stdio.h> 2 #include<string.h> 3 #include<stdlib.h> 4 int main( ) 5 { 6 char letter_grades[6] = "ABCDF" ; 7 int ave ; 8 printf( "Enter your average: ") ; 9 scanf( "%d", &ave ) ; 10 printf( "\nyour final grade is " ) ; 11 if ( ave >= 90 ) 12 printf( "%c.\n", letter_grades[0] ) ; 13 else 14 if ( ave >= 80 ) 15 printf( "%c.\n", letter_grades[1] ) ; 16 <more code> The user enters 90 when prompted. The stack for this program is shown below, assuming there is no padding (additional bytes in between). The addresses are shown on the left, and labels for the data on the right. Note where the register ebp points to. bffff796 bffff797 bffff798 ave letter_grades ebp (a) (b) (c) (4 pts) Fill in the hexadecimal digits for each of the last eight addresses on the diagram above. (4 pts) Fill in the hexadecimal values for letter_grades on the diagram above. (2 pts) Convert the value of ave to hexadecimal. Show work below. THIS PROBLEM CONTINUES ON THE NEXT PAGE Page 2 of 8
(d) (e) (3 pts) Fill in the hexadecimal values for ave on the diagram above. If your diagram above still has blank locations, write in "gar" to indicate garbage values. (2 pts) Consider line 6 in the code above. Will this line of code result in a buffer overflow? Explain. (f) (2 pts) Assume the program is executed up to line 16, what is the exact output of the program after the user enters 90 when prompted? (g) (2 pts) Note that variable ave was declared to be an integer. Suppose the user had entered 89.5 when prompted instead. How does the computer handle the variable type mis-match? (Select one answer). (ii) (iii) (iv) The syntax error prevents the compiling of the program A run-time error occurs and the computer will crash. The computer truncates and stores the value 89 in hexadecimal in ave. The computer rounds up and stores the value 90 in hexadecimal in ave. (h) (j) (2 pts) What hardware component processes the data and instructions of the program? (circle one) CPU Main Memory Secondary Memory Operating System (2 pts) What type of device is the monitor where the printed statement above shows on the screen? Input Device Output Device Processing Device Storage Device (2 pts) Convert the hexadecimal value 0xb7 to binary. Page 3 of 8
Question 2. (25 pts) Consider the C program shown below. An empty diagram for each string is shown on the right for your convenience. 1 #include<stdio.h> string1 string2 2 #include<string.h> 3 int main( ) 4 { 5 char string1[ ] = II REBYC 013CE ; 6 char string2[15]; 7 int start = 1, finish = 15 ; 8 int i; 9 10 for( i = start; i < finish; i = i + 1) 11 { 12 string2[i-1] = string1[14-i]; 13 } 14 string2[14] = 0; 15 16 printf( %s\n, string2); 17 } (a) (4 pts) How many total bytes are allocated for all of the variables used by this program? Show work. (b) (2 pts) If the program is executed but stopped at line 9, what would be the value of the variable i? (Circle one choice) 0 1 15 same as start garbage value (c) (2 pts) How many times will the for loop (lines 11-13) iterate? (d) (2 pts) If the program is executed but stopped at line 14, what would be the value of the variable i? (Circle one choice) 0 1 15 same as finish garbage value (e) (4 pts) What is the exact output of this program? THIS PROBLEM CONTINUES ON THE NEXT PAGE Page 4 of 8
You compile and run the program from the start with gdb, pause at a given line (by setting a breakpoint), and examine the debugger's partial output shown below. (f) (g) (h) (2 pts) Where in main memory are the instructions to the program stored? (Circle one choice) Text Segment Heap Stack Registers (2 pts) What is the assembly language of the next instruction to be executed? (4 pts) How many bytes above ebp is the variable finish stored on the stack? Briefly explain. ebp- (3 pts) Consider the assembly instructions at addresses 080483c8, 080483cb, and 080483cd. To what portion of the for loop do they most closely correspond? (Select one answer). (ii) (iii) (iv) This is where the loop control variable is initialized. This initialization occurs only once. This is the boolean expression of the loop used to determine if the loop should execute. This is the body of the loop where the task is executed. This is where the loop control variable is updated. Page 5 of 8
Question 3. (22 pts) Consider the program below, where two users are expected to enter their favorite color as a command line arguments as follows./a.out green blue <enter>. A diagram is shown to the right depicting the stack and it assumes there is no padding (extra bytes in between). Addresses are on the left and labels for the data on the right. bffff7fc pt1 1 #include <stdio.h> 2 #include <stdlib.h> bffff800 buffer 3 #include <string.h> 4 int main (int argc, char *argv[ ] ) 5 { 6 char buffer[12]; 7 char *pt1; 8 pt1 = buffer+6; 9 10 if(argc < 3) 11 exit(0); 12 13 strcpy (pt1, argv[1]); 14 strcpy (buffer, argv[2]); 15 16 printf("\n The best color is %s \n", pt1); 17 } (a) (2 pts) What is the value of pt1 in hexadecimal? (b) (2 pts) What is the value of argv[0]? (c) (2 pts) What is the value of argc? (d) (6 pts) For the code above, you will compete with another user who will always go first in entering his favorite color (green). You will always go second. Design a buffer overflow to make the code display the output The best color is blue. Enter the precise characters you would type before pressing <enter> to accomplish the buffer overflow. You may leave any unused spaces to the right empty (the numbers below indicate the character position). You may also use the stack diagram above to work out the problem../a.out green <enter> 1 2 3 4 5 6 7 8 9 10 11 12 13 THIS PROBLEM CONTINUES ON THE NEXT PAGE Page 6 of 8
(e) (f) (5 pts) Which of the following statements is/are true of the command line arguments in general? (circle all that apply) (ii) (iii) (iv) (v) argc is of type float depending on the user entry, argv can be of type string, float or integer each of the arguments passed to main is stored in one of the argv locations argc holds the total number of command line arguments available to the program argv is an array (5 pts) Which of the following statements is/are true of the heap in general? (circle all that apply) (ii) (iii) (iv) (v) the heap is located below (higher address) the stack the heap, like the stack, grows from the bottom up (from higher address to lower address) the programmer is responsible for managing the heap the free statement is used to make previously allocated memory on the heap available for reuse the heap is located below the text segment Question 4. (28 pts) Consider the program shown below: 1 #include<stdio.h> 2 void calc_display(int x, int y ) 3 { 4 char school[ 10 ]; 5 int sum = x + y; 6 7 printf("\nenter your school: "); 8 scanf("%s", school ); 9 printf("\nthe sum is %d.\n Go %s!\n", sum, school ); 10 } 11 12 int main( ) 13 { 14 int number1, number2; 15 printf("\nenter two integers and I will tell you their sum: " ); 16 scanf("%d %d", &number1, &number2 ); 17 calc_display( number1, number2 ); 18 } (a) (4 pts) List by name all the user-defined functions used in this program. THIS PROBLEM CONTINUES ON THE NEXT PAGE Page 7 of 8
When executing the calc_display function, the stack would be arranged similarly to the diagram below, assuming there is no padding (extra bytes in between). Addresses are indicated to the left. (note: the diagram is not to scale; spaces may hold multiple bytes). stack frame for calc_display stack frame for main bffff7f2 bffff7f6 bffff800 school bffff804 0x08048446 bffff808 bffff80c bffff810 bffff814 bffff818 copy of number1 copy of number2 number2 number1 (b) (c) (d) (4 pts) To the right of the diagram, fill in the names for the two addresses saved on the stack prior to jumping to the calc_display function, in the correct order in which they are stored. (2 pts) Fill in the value stored at address bffff800 on the diagram above. (5 pts) When prompted to enter the school name, what is the minimum number of characters to enter in order to overwrite the entire stack including all bytes of variable number1 declared on line 14 in main? Show work. (e) (f) (2 pts) Annotate on the diagram above where the variable sum would be stored on the stack. (3 pts) Could variable sum also be overwritten by the buffer overflow on string school? Explain. (g) (h) (5 pts) Which of the following statements is/are true of functions in general? (circle all that apply) functions are subprograms used to break up large complex programs into smaller ones (ii) all functions must have a return value (iii) to use a function we must invoke it with a return value (iv) functions can be declared after (below) the main function (v) the function parameters are placeholders for the argument inputs to the function (3 pts) Explain the fundamental issue with C that makes a buffer overflow exploit possible. Turn in your equation sheet with your exam! Page 8 of 8