防止C / C ++中的缓冲区溢出
[英]Preventing buffer overflow in C/C++
问题描述
Many times I have problems with Buffer Overflow. 
很多次我遇到Buffer Overflow问题。
int y[10][10][10];
... ...
y[0][15][3] = 8;
How can I prevent this problem? 我该如何防止这个问题? Is there any good tool that can help me? 有什么好的工具可以帮助我吗?
6 个解决方案
解决方案1
10 2009-07-05 11:39:35
Neil's answer is better in the general case, but if you have a reason for using plain old arrays, you can use functions to get and set the values and also check that you're within the array bounds: 在一般情况下,Neil的答案更好,但是如果你有理由使用普通旧数组,你可以使用函数来获取和设置值,并检查你是否在数组边界内:
#define MAX_INDEX 10
int y[MAX_INDEX][MAX_INDEX][MAX_INDEX];
int get_y(int a, int b, int c)
{
ASSERT(a >= 0 && a < MAX_INDEX);
ASSERT(b >= 0 && b < MAX_INDEX);
ASSERT(c >= 0 && c < MAX_INDEX);
return y[a][b][c];
}
void set_y(int a, int b, int c, int value)
{
ASSERT(a >= 0 && a < MAX_INDEX);
ASSERT(b >= 0 && b < MAX_INDEX);
ASSERT(c >= 0 && c < MAX_INDEX);
y[a][b][c] = value;
}
...all wrapped up in a class, ideally. ......理想情况下,所有人都在课堂上。
解决方案2
9
Don't use raw C-style arrays. 不要使用原始C风格的数组。 Instead, use C++ container classes such as std::vector, which have the ability to check for invalid accesses and raise exceptions when they occur. 相反,使用诸如std :: vector之类的C ++容器类,它们能够检查无效访问并在异常访问发生时引发异常。
Also, what you are describing is not really a buffer overflow. 此外,您所描述的并不是真正的缓冲区溢出。
解决方案3
1 2009-07-05 11:50:06
In addition to the other comments, you might also have a look at the suggestions in this thread, which deals with static code analysis tools: 除了其他注释之外,您还可以查看此主题中的建议,该主题涉及静态代码分析工具:
解决方案4
1 2009-07-05 12:10:49
Solution at the code level 代码级别的解决方案
In C++, one solution is to never use arrays, but C++ containers instead. 在C ++中,一种解决方案是永远不使用数组,而是使用C ++容器。 Vectors, for example, have out of bounds detection if you use at intead of [] for indexing 例如,如果在[]的intead处使用索引,则向量具有超出范围的检测
In C, you should always design your functions such as you give the pointers and the dimension(s) of your arrays, there is no way around it. 在C中,你应该总是设计你的函数,比如你给出指针和数组的维度,没有办法解决它。
Solution at the tool level 工具级别的解决方案
A great tool for checking out of bounds access is valgrind. valgrind是一个检查越界访问的好工具。 It works by running your binary unaltered, and can give the precise line where errors occurs if you compile with debug information. 它的工作方式是不加改变地运行二进制文件,如果使用调试信息进行编译,则可以给出出现错误的精确行。 Valgrind work on many unix, including mac os x. Valgrind在许多unix上工作,包括mac os x。
Note that valgrind cannot always detect those bad accesses (in your example, assuming it was a real out of bounds access, it would have gonve unnoticed by valgrind because the variable is on the stack, not on the heap). 请注意,valgrind无法始终检测到那些错误的访问(在您的示例中,假设它是一个真正的越界访问,它会被valgrind忽略,因为变量在堆栈上,而不在堆上)。
解决方案5
0
I've found an interesting software for buffer overflow. 我发现了一个有趣的缓冲区溢出软件。 You can download it for free from www.bugfighter-soft.com 您可以从www.bugfighter-soft.com免费下载
It says that it can discover buffer overflow and that it is independent from compiler and platform. 它说它可以发现缓冲区溢出,并且它独立于编译器和平台。
I tried it with Visual C++ Express 2008 and it worked well. 我尝试使用Visual C ++ Express 2008,它运行良好。 I could discover buffer overflow in a multidimensional array such int y[10][10][10]; 我可以发现多维数组中的缓冲区溢出,例如int y[10][10][10];
Do you think it is cross platform? 你认为它是跨平台的吗?
Do you know something more about it? 你知道更多关于它的事吗?
解决方案6
-1 2009-07-06 11:51:23
在TRACE MACROS中使用sprintf是最大的罪恶
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.