A couple of remarks
- your program only uses stack local variables and constants. No heap.
- Stephens example does shwo the problem with 'silent' corruption, but indeed does not show why a segmenation fault does nto happen there and then on the copy.
- I suspect that those DOS, Solaris and other examples would also not fault... if you allocate a little more local variables, making it 'your space' to overwrite. They woudl then also silent fail.
- computer / software vendors only document correct behaviour. Random erroroneous program errors can cause random subsequent effect which may or might not include segmentation faults.
- segmentation faults are triggered by hardware, based on protecting entire pages. Is that what you mean by "2^n" ? If not, what did you mean by that 2^n?
- your 'buf' starts somewhere on a page. if it is allocated toward the end of a mamroy chunk, a hardware error will occur. If the page next to it happens to be writeable (more stack), it will happily overwrite that, and a further error may mor might not happen depnding on what is overwritten.
- Admittedly I do not actually know how strcpy is implemented on hpux but I hope it does NOT check. If it did, it would be wasting cpu time all the time (IMHO).
Man strcpy explains: "strcpy() Copies string s2 to s1, stopping after the null byte has been copied." Nowhere does it say it will stop when the target space is too small or some such. How could it know in a language like C?
- whether it faults or not depends the exact memory layout the system chooses for you. You can get some insight in that from several web pages. I found some with google for "+"memory layout" +hpux +site:hp.com"
For example:
http://h21007.www2.hp.com/dspp/files/unprotected/Itanium/aas_white_paper.pdfOther interesting search terms are "local variables" and grow and stack.
- A 'fun' document about overwriting stacks:
www.comms.scitech.susx.ac.uk/fft/security/ Stack_Smashing_Vulnerabilities_in_the_UNIX_Operating_System.pdf
Hope this helps some!
Regards,
Hein.
