缓冲区溢出时程序没有崩溃
[英]Program didn't crash when buffer overflow
问题描述
I want to read a string from keyboard and store in buf . 
我想从键盘上读取一个字符串并存储在buf 。 I set a char buf[6] array , this array at most can store 5 characters and \\0 . 我设置了一个char buf[6]数组,该数组最多可以存储5个字符和\\0 。
Then I type 123 456 789 it contain 11 characters and a \\0 , the program still can run , but if I type a longer string 123 456 789 123 456 789 it will crash at run time . 然后,我键入123 456 789它包含11个字符和一个\\0 ,该程序仍然可以运行,但是如果我键入更长的字符串123 456 789 123 456 789 ,它将在运行时崩溃。 these two inputs also out of the range of buf , but one can run , the other crash? 这两个输入也超出了buf的范围,但是一个可以运行,另一个崩溃?
Here is my code: 这是我的代码:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void read_str();
int main(){
read_str();
system("pause");
return 0;
}
void read_str(){
char buf[6] = {};
scanf("%[^\n]",buf);
printf("%d\n",strlen(buf));
printf("%s\n",buf);
}
2 个解决方案
解决方案1
3 已采纳 2013-09-28 02:40:55
This is just undefined behavior to write outside the bounds of allocated memory. 这只是在分配的内存范围之外写入的未定义行为 。 It may work now but it can not be relied on to work. 它可能现在可以工作,但不能依靠它来工作。 The C99 draft standard in Annex J.2 Undefined behavior says: 附件J.2 未定义行为中的C99标准草案说:
An array subscript is out of range, even if an object is apparently accessible with the given subscript (as in the lvalue expression a[1][7] given the declaration int a[4][5]) (6.5.6).
Note that section 3.4.3 undefined behavior which defines the term in paragraph 2 says( emphasis mine ): 请注意,第3.4.3节未定义行为定义了第2段中的术语( 强调我的 ):
Possible undefined behavior ranges from ignoring the situation completely with unpredictable results , to behaving during translation or program execution in a documented manner characteristic of the environment (with or without the issuance of a diagnostic message), to terminating a translation or execution (with the issuance of a diagnostic message).
解决方案2
3 2013-09-28 02:42:17
The real reason is most likely that you're just overwriting the contents of your stack since you're in a function call, and you don't actually get to memory you don't own until you to try to write characters past the bottom of it. 真正的原因很可能是因为您正在进行函数调用而只是覆盖了堆栈的内容,并且实际上直到尝试编写超出底部的字符后,您才真正拥有了不属于您的内存它的。 Even though it doesn't crash, this is almost always bad because you're overwriting values that your program put there for a reason. 即使它不会崩溃,但这几乎总是很糟糕,因为您会覆盖程序出于某种原因放置在其中的值。 After all, if you always crashed every time you overwrote a buffer, then buffer overflow bugs could never occur, and we know they do. 毕竟,如果每次改写缓冲区时总是崩溃,那么缓冲区溢出错误就永远不会发生,我们知道它们确实会发生。
For instance, your stack is likely growing downwards. 例如,您的堆栈可能会向下增长。 When you make a function call, you might get register values, a return address, argument values, and other things placed onto the stack. 进行函数调用时,您可能会获得寄存器值,返回地址,参数值以及其他放置在堆栈中的内容。 Then, and only then, will your 6 bytes for buf be allocated. 然后,直到那时,才会分配您用于buf的6个字节。 If all that other stuff took up, say, 12 bytes, then you could write 18 characters to buf and still be only touching memory that you shouldn't be changing, but that your process owns. 如果所有其他的东西占去了,说,12个字节,那么你就可以写18个字符buf ,仍然是你不应该只改变触摸存储器,但是你的程序拥有。 Since your process owns it, you won't get an illegal memory access, and you won't crash. 由于您的进程拥有它,因此您不会获得非法的内存访问,也不会崩溃。 Once you go past the 18 bytes, then you may very well get into memory that your process doesn't own, and you'll get a segfault and the game will be up. 超过18个字节后,您很可能进入进程不拥有的内存,并且遇到段错误,游戏将启动。
The C reason is that you just have undefined behavior and weird stuff happens that you shouldn't even try to understand. C的原因是您只是行为未定义,甚至发生了奇怪的事情,甚至您都不应该去理解。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.