如何防止 asprintf 覆盖堆上的变量?

How do I prevent asprintf writing over variables on heap?

我正在使用 asprintf 动态分配内存并加载字符串以存储有关工作目录中文件的信息。

在函数 parse_entry 的第 273 次(完全一致的)调用中,执行了这一行:file->filename_len = asprintf(&file->filename, "%s", entry->d_name); 并覆盖了 files[0] 指向的结构。

这是 gdb 的输出,因为我 运行 逐行进行第 273 次迭代:

在执行上述行之前:

p *files[0]
{filename = 0x60b8f0 ".", filename_len = 1, user = 0x60b8b0 "root", user_len = 4}

执行后:

p *files[0]
{filename = 0x746e6175716d7070 <Address 0x746e6175716d7070 out of bounds>, 
filename_len = 6340608, user = 0x60c080 "00`", user_len = 70433}

代码附在下面。请注意,这是演示我遇到的问题的最小示例。

如何防止这种情况发生?

#define _GNU_SOURCE
#include <dirent.h>
#include <pwd.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#define SIZE 255

typedef struct {
    char *filename;
    int filename_len;
    char *user;
    int user_len;
} file_t;

void free_file(file_t *f)
{
    if (!f) {
        return;
    }
    if (f->filename) {
        free(f->filename);
    }
    if (f->filename) {
        free(f->user);
    }
    free(f);
}

void free_files(file_t **files, size_t count)
{
    if (!files) {
        return;
    }
    for (size_t i = 0; i < count; i++) {
        free_file(files[i]);
    }
    free(files);
}

file_t *parse_entry(struct dirent *entry)
{
    file_t *file = malloc(sizeof(file_t));

    file->filename_len = asprintf(&file->filename, "%s", entry->d_name);
    if (file->filename_len == -1) {
        perror("While allocating memory for filename: ");
        file->filename = NULL;
        goto fail;
    }

    struct stat info;
    if (stat(file->filename, &info)) {
        perror("Can't stat file: ");
        goto fail;
    }

    struct passwd *passwd = getpwuid(info.st_uid);
    if (passwd) {
        file->user_len = asprintf(&file->user, "%s", passwd->pw_name);
    } else {
        perror("While getting username. Using uid instead.");
        file->user_len =
            asprintf(&file->user, "%ju", (intmax_t) info.st_uid);
    }
    if (file->user_len == -1) {
        perror("While allocating memory for username: ");
        file->user = NULL;
        goto fail;
    }

    return file;

fail:
    free(file);
    return NULL;
}

file_t **load_files(size_t *count)
{
    *count = 0;
    size_t size = SIZE;
    file_t **files = malloc(SIZE * sizeof(file_t *));
    DIR *dir = NULL;
    if ((dir = opendir("."))) {
        struct dirent *entry = NULL;
        while ((entry = readdir(dir)) != NULL) {
            if (*count >= size) {
                size = size + SIZE;
                file_t **tmp =
                    realloc(files, size * sizeof(file_t *));
                if (tmp) {
                    files = tmp;
                    free(tmp);
                } else {
                    return NULL;
                }
            }
            file_t *file = parse_entry(entry);
            if (file) {
                files[(*count)] = file;
            } else {
                fprintf(stderr,
                    "Can't get information about %s skipping",
                    entry->d_name);
                continue;
            }
            // is the structure overwritten yet?
            printf("loaded %lu %s %s\n", *count,
                    files[0]->user,
                    files[0]->filename);
            (*count)++;
        }
    } else {
        return NULL;
    }
    closedir(dir);
    return files;
}

void print_files(file_t **files, size_t count)
{
    for (size_t i = 0; i < count; i++) {
        printf("%s %s\n", files[i]->user, files[i]->filename);
    }
}

int main()
{
    size_t file_count;
    file_t **files = load_files(&file_count);
    if (!files) {
        free_files(files, file_count);
        return 1;
    }

    // do other stuff with files
    print_files(files, file_count);
    free_files(files, file_count);

    return 0;
}

在重新分配更大的 files 数组后,您正在重新分配它。由于 files == tmp(因为您刚刚将 tmp 分配给 files),您对 free(tmp) 的调用释放了 files 指向的内存。因此,files 是一个指向已释放内存的悬空指针。该内存可能稍后会重新用于其中一个文件的 filename