缓冲区溢出-退出功能后未从堆栈中删除字符数组
[英]Buffer Overflow - Char Array not removed from stack after exiting function
问题描述
I am trying to concatenate a few strings to a buffer. 
我正在尝试将一些字符串连接到缓冲区。 However, if I call the function repeatedly, the size of my buffer will keep growing. 但是,如果我反复调用该函数,缓冲区的大小将保持增长。
void print_message(char *str) {
char message[8196];
sender *m = senderlist;
while(m) {
/* note: stricmp() is a case-insensitive version of strcmp() */
if(stricmp(m->sender,str)==0) {
strcat(message,m->sender);
strcat(message,", ");
}
m = m->next;
}
printf("strlen: %i",strlen(message));
printf("Message: %s\n",message);
return;
}
The size of message will continuously grow until the length will be 3799. 邮件的大小将持续增长,直到长度为3799。
Example: 例:
- 1st. 1。 call: strlen = 211 致电:strlen = 211
- 2nd call: strlen = 514 第2次通话:strlen = 514
- 3rd call: strlen = 844 第三次通话:strlen = 844
- ... ...
- nth call: strlen = 3799 第n次通话:strlen = 3799
- nth +1 call: strlen = 3799 第+1次通话:strlen = 3799
- nth +2 call: strlen = 3799 第n个+2电话:strlen = 3799
My understanding was, that statically allocated variables like char[] will automatically be freed upon exiting the function, and I'm not dynamically allocating anything on the heap. 我的理解是,像char []这样的静态分配变量将在退出函数时自动释放,并且我没有在堆上动态分配任何东西。
And why will suddenly stop growing at 3799 bytes? 为何突然停止以3799字节增长? Thanks for any pointers. 感谢您的指导。
3 个解决方案
解决方案1
3 已采纳 2014-12-25 13:13:04
Add one more statement after the buffer definition 在缓冲区定义之后再添加一条语句
char message[8196];
message[0] = '\0';
Or initialize the buffer when it is defined 或在定义缓冲区时初始化缓冲区
char message[8196] = { '\0' };
or 要么
char message[8196] = "";
that is fully equivalent to the previous initialization. 这完全等同于先前的初始化。
The problem with your code is that the compiler does not initialize the buffer if you wiil not specify initialization explicitly. 代码的问题是,如果您没有明确指定初始化,编译器将不会初始化缓冲区。 So array message contains some garbage but function strcat at first searches the terminating zero in the buffer that to append a new string. 因此,数组消息包含一些垃圾,但是函数strcat首先在缓冲区中搜索要附加新字符串的终止零。 So your program has undefined behaviour. 因此,您的程序具有未定义的行为。
解决方案2
2 2014-12-25 13:17:38
What you are seeing is the growing of the senderlist or likely garbage in message. 您所看到的是发件人列表的增加或消息中可能的垃圾。 Fortunately not exceeding 8196. The message array must start with the empty string. 幸运的是不超过8196。消息数组必须以空字符串开头。 At the moment doing a strcat adds to garbage. 目前,执行strcat会增加垃圾。
char message[8196];
sender *m = senderlist;
int len = 0;
*message = '\0';
while(m) {
/* note: stricmp() is a case-insensitive version of strcmp() */
if(stricmp(m->sender,str)==0) {
int sender_len = strlen(m->sender);
if (len + sender_len + 2 + 1 < sizeof(message)) {
strcpy(message + len, m->sender);
len += sender_len;
strcpy(message + len, ", ");
len += 2;
} else {
// Maybe appending "..." instead (+ 3 + 1 < ...).
break;
}
}
m = m->next;
}
printf("strlen: %i",strlen(message));
printf("Message: %s\n",message);
解决方案3
1 2014-12-25 13:06:46
"Deallocation" is not the same as wiping the data; “分配”与擦除数据不同; in fact, C generally leaves the data unerased for performance reasons. 实际上,由于性能原因,C通常不会删除数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.