Most common security flaws with C programs

You should read Secure Programming HOWTO. Here's the most common problems with non-suid/sgid programs:

• Buffer overflows
  • String based - eg. usage of strcpy(), strcat(), sprintf().
    • Use strncpy(), strncat(), snprintf(), etc. and verify the sizes. This can get ugly and difficult to verify they're calculated properly.
    • Dynamically allocate memory, either a calculated amount (same problem as above) or use buffers that grow automatically - good idea but make sure it won't allocate all your memory. It's also a bit slower and causes memory fragmentation. I've found that data stack works very well for me.
  • Integer overflows. This is what most of the new exploits seem to be based on nowadays. Problem is that growing a value could actually make it smaller, so in case of malloc(sizeof(struct) * count) if count is very large, it could actually allocate only a few bytes and it'd be easy to exploit after that. These are quite difficult to get right, especially since you can nowadays easily transfer the needed 2-4GB of data over internet to be able to exploit some flaw. 64bit architectures are also becoming more common so it could become possible for a process to use more than 4GB of memory allowing exploiting some bugs.
  • Another overflow problem is the signedness issues, when you store large number to int, it might become negative. See example. Also casting unsigned int to signed int has the same problem.
• Format string vulnerabilities - printf(user_data) etc.

Some examples

Signedness

char *buf;
int i, len;

read(fd, &len, sizeof(len));

/* we forgot to check for < 0 */
if (len > 8000) { error("too large length"); return; }

buf = malloc(len);
read(fd, buf, len); /* len casted to unsigned and overflows */

Integer truncating

For 64bit architectures:

void *mymalloc(unsigned int size) { return malloc(size); }

char *buf;
size_t len;

read(fd, &len, sizeof(len));

/* we forgot to check the maximum length */

/* 64bit size_t gets truncated to 32bit unsigned int */
buf = mymalloc(len);
read(fd, buf, len);

Integer overflow

char *buf;
size_t len;

read(fd, &len, sizeof(len));

/* we forgot to check the maximum length */

buf = malloc(len+1); /* +1 can overflow to malloc(0) */
read(fd, buf, len);
buf[len] = '\0';