Catching weird C pointer arithmetic bugs -


I recently went to a very stealth bug in which I forgot a director for a string (four array) And thus sometimes a byte on the stack is overwritten.

Bad: 

  four ** str; (* Str) = Molk (10); ... str [2] = 'a'; // Overwrites 3 bytes in that location where str is stored

Correct: 

  char ** str; (* Str) = Molk (10); ... (* str) [2] = 'A'; The GCC did not give any warning, and this error would arise as a very serious and real exploitation, because this value is sometimes a value holding buffer size. I only caught this bug because I got good fortune and it causes a failure.  
     
  •  
     Depend on destiny and / or never use it for C, which uses defensive coding techniques and tricks you use to catch horny insects. ?   
  •  
     I'm thinking about going to Valgrind, did anyone use it? I suspect that this bug will not be caught. Anyone know?   
  •  
     Is there pointer detection or tools to capture arithmetic bugs? Is this also possible?    
     UPDATE  
     Here is the requested example code, it does not make any warnings.  
      # include & lt; Stdlib.h & gt; Zero test (unsigned char ** byte) {(bytere) = (unsigned char *) molk (5); Bytere [4] = 0x0; } Int main (zero) {unsigned char * str; Test (& str); Return 0; }  
     
     There is no error due to the compilation: 
     
      GCC-Wall testBug.c -o testBug  
     
     The reason for running is Seg fault: 
     
      ./ testBug partition fault  
     
     This is using GCC I version: 
     < Pre>  Use of GCC-V is built in the eyeglasses: i486-linux-gnu is configured with: ../src/configure -v --with-pkgversion = 'Ubuntu 4.4.1-4ubuntu9' - -with-bugurl = file: /// USR / share / doctor / gcc-4.4 / readme.bugs-cable-languages ​​= c, c ++, foreign, obese C, OBJ-C ++ - prefix = / usr - sign-sharing-compatible-multiprofessional - enable-linker-build-id - with-system-zlib --libexecdir = / usr / lib - without-included-gatetext - enabled threads = posix --with-gxx- include- dir = / usr / include / c ++ / 4.4 - program-suffix = -4.4 - enabled-NLS -enabled-clocel = gnu -enable- Libstdcxx-debug --enable-objc-gc --enable-targets = all --disable-werror -with-arch-32 = i486 --with-tune = generic --enable-checking = release --build = i486- Linux-gnu --host = i486-linux-gnu --target = i486-linux-gnu thread model: posix gcc version 4.4.1 (Ubuntu 4.4.1-4ubuntu9)  "post-text" itemprop = " Text "> 
     My best interests Shatmk indicator strategy: Avoid use indirection on more than one level. It is okay to fix this to assign a memory to point-to-pointers. But then using the memory assigned as an array is asking trouble, which you got. I would like to do something like this:  
      char ** outStr; * OutStr = malloc (10); Char * str = * outStr; Str [2] = 10;  
     
     Okay, in fact this is only a removable-qualified strategy that is with defensive value. Indicators are quite easy to understand for a long time that there is no sign of more than one level at any one time, and when you understand it well, code is easy to work on.

Comments

Post a Comment

Popular posts from this blog

sql - dynamically varied number of conditions in the 'where' statement using LINQ -

I am using my first project LINQ (in mvc), so maybe there's something very simple that I remember. However, a day of searching and experimenting does not work, so it works. I am trying to write a LINQ query (Linux to SQL) in which in many cases where the statement is different from an OR or an AND. We do not know how many conditions are going in the query till runtime. This search is for filter control, where the user can choose multiple criteria for filtering. Select from table where table.col = 1 or table.col = 2 or table.col = 7 .... 'Other number of conditions Before I just create the SQL query as a string, while looping over all the situations. However, it seems that there should be a good way to do this in LINQ. I tried to use Expression trees, but they had a second thought for this moment on my head, where the lambda function was to be executed inside the statement such as: values ​​for matchingRows = matchingRows for each value Where (function (row) row.c...
Read more

asp.net mvc - Dynamically Generated Ajax.BeginForm -

I have a problem with ASP.NET MVC Ajax forms. I generate many Ajax form in a table such as: & Lt; Input type = "submit" name = "activity" value = "add activity" / & gt; & Lt;%}% & gt; & Lt; / TD & gt; & Lt; / TR & gt; & Lt;%}% & gt; So far so good. When I post one of those forms, it gives a partial view in a div, and in this new partial view a new Ajax Beginnform (which is not in Genesis form) This second Ajax Beginnorf is exactly like the ones I got on the table, but when I post it, I do not get the "Ajax Post", but a normal post that sends me to a new page, I do not know whether the two Ajax forms What is the reason for the difference between, why is it the "dynamically generated" Ajax form behaves like a normal HTML form? By the way, I know that I can do it in different ways using javascript, but I would like to understand whether it can only be done using MVC helplars and Ajax lib...
Read more

Debug on symbian -

I am using trk for phone debug This works well for the Holorld project But when I start the project in phone debug mode 1) the load failed 2) TrkProtocolPlugin: to target the specified file Failure (please verify If any body understands what problem I am experiencing, then this problem helps me Pre-release If the application has the privileges assigned (with the appropriate certificate) itemprop = "text" > In your case, I will check: / li> If there is no conflict of application ID with any other application of device If there are problematic commands in the installation package (for example copy copy for non-accessible directories)
Read more