#include <stdio.h>int pos;char c = 0;voidbof(unsigned int i){ fprintf(s

1. #include <stdio.h>
2. int pos;
3. char c = 0;
4.  
5. void
6. bof(unsigned int i)
7. {
8. fprintf(stderr, "BOF %un", i);
9. }
10.  
11. void
12. foo()
13. {
14. unsigned char buf[3];
15. while(c != 'X') {
16. scanf(" %c", &c);
17. buf[pos++] = c;
18. }
19. }
20.  
21. int
22. main() {
23. fprintf(stderr, "%pn", bof);
24. foo();
25. return 0;
26. }
27.  
28. (gdb) b 19
29. Breakpoint 4 at 0x40061b: file main.c, line 19.
30. (gdb) r < file
31. The program being debugged has been started already.
32.  
33. Start it from the beginning? (y or n) y
34. Starting program: /home/badnack/Documents/Code/stuff/bof/bof < file
35. 0x4005a4
36.  
37. Breakpoint 4, foo () at main.c:19
38. 19 }
39. (gdb) l
40. 14 unsigned char buf[3];
41. 15 while(c != 'X') {
42. 16 scanf(" %c", &c);
43. 17 buf[pos++] = c;
44. 18 }
45. 19 }
46. 20
47. 21 int
48. 22 main() {
49. 23 fprintf(stderr, "%pn", bof);
50. (gdb) l
51. 24 foo();
52. 25 return 0;
53. 26 }
54. (gdb) disass
55. Dump of assembler code for function foo:
56. 0x00000000004005d0 <+0>: push %rbp
57. 0x00000000004005d1 <+1>: mov %rsp,%rbp
58. 0x00000000004005d4 <+4>: sub $0x10,%rsp
59. 0x00000000004005d8 <+8>: jmp 0x400610 <foo+64>
60. 0x00000000004005da <+10>: mov $0x400755,%eax
61. 0x00000000004005df <+15>: mov $0x601040,%esi
62. 0x00000000004005e4 <+20>: mov %rax,%rdi
63. 0x00000000004005e7 <+23>: mov $0x0,%eax
64. 0x00000000004005ec <+28>: callq 0x4004b0 <__isoc99_scanf@plt>
65. 0x00000000004005f1 <+33>: mov 0x200a4d(%rip),%eax # 0x601044 <pos>
66. 0x00000000004005f7 <+39>: movzbl 0x200a42(%rip),%edx # 0x601040 <c>
67. 0x00000000004005fe <+46>: mov %edx,%ecx
68. 0x0000000000400600 <+48>: movslq %eax,%rdx
69. 0x0000000000400603 <+51>: mov %cl,-0x10(%rbp,%rdx,1)
70. 0x0000000000400607 <+55>: add $0x1,%eax
71. 0x000000000040060a <+58>: mov %eax,0x200a34(%rip) # 0x601044 <pos>
72. 0x0000000000400610 <+64>: movzbl 0x200a29(%rip),%eax # 0x601040 <c>
73. 0x0000000000400617 <+71>: cmp $0x58,%al
74. 0x0000000000400619 <+73>: jne 0x4005da <foo+10>
75. => 0x000000000040061b <+75>: leaveq
76. 0x000000000040061c <+76>: retq
77. End of assembler dump.
78. (gdb) ni
79. 0x000000000040061c 19 }
80. (gdb) x/10xg $rsp
81. 0x7fffffffe278: 0x00000000004005a4 0x0000000000000000
82. 0x7fffffffe288: 0x00007ffff7a3b758 0x0000000000000000
83. 0x7fffffffe298: 0x00007fffffffe368 0x0000000100000000
84. 0x7fffffffe2a8: 0x000000000040061d 0x0000000000000000
85. 0x7fffffffe2b8: 0xbc2b8a4223791ede 0x00000000004004c0
86. (gdb) n
87. bof (i=0) at main.c:7
88. 7 {
89. (gdb) x/10xg $rsp
90. 0x7fffffffe280: 0x0000000000000000 0x00007ffff7a3b758
91. 0x7fffffffe290: 0x0000000000000000 0x00007fffffffe368
92. 0x7fffffffe2a0: 0x0000000100000000 0x000000000040061d
93. 0x7fffffffe2b0: 0x0000000000000000 0xbc2b8a4223791ede
94. 0x7fffffffe2c0: 0x00000000004004c0 0x00007fffffffe360
95. (gdb) n
96. 8 fprintf(stderr, "BOF %un", i);
97. (gdb) n
98. BOF 4158473024
99. 9 }
100. (gdb) x/10xg $rsp
101. 0x7fffffffe268: 0x0000000000000000 0xf7dd434000000000
102. 0x7fffffffe278: 0x0000000000000000 0x0000000000000000
103. 0x7fffffffe288: 0x00007ffff7a3b758 0x0000000000000000
104. 0x7fffffffe298: 0x00007fffffffe368 0x0000000100000000
105. 0x7fffffffe2a8: 0x000000000040061d 0x0000000000000000
106. (gdb)