IB Chapter 4/System Briefing

address than the buffer so that it will be overwritten in the event of an over¬

flow. Hence, the final stack frame looks something like that in Figure 4.12.

+12

A

+8

A

byte

byie

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

� value

:> stl"

�EIP

High Memory

T

-4

T

-12

T

-16

T

-20

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

byte

>EBP

EBP (set to ESP)

>- ArrayPad (cookic)

>- localBuffer

local Value

> (empVariable (tv)

Low Memory

Figure 4-.12

Once the routine has done what it needs to do, it places its return value into

EAX, retrieves the security cookie stored in_$ArrayPad$ off the stack, and

then calls a routine named_security_check_cookie to confirm that the cookie

value hasn't been altered by an overflow. If the security check routine discov¬

ers that the cookie has been changed, it invokes the report_fai 1 ure{) func¬

tion, which in turn calls__ security_error_handler().

Part I