如何防止 asprintf 覆盖堆上的变量?
How do I prevent asprintf writing over variables on heap?
我正在使用 asprintf
动态分配内存并加载字符串以存储有关工作目录中文件的信息。
在函数 parse_entry
的第 273 次(完全一致的)调用中,执行了这一行:file->filename_len = asprintf(&file->filename, "%s", entry->d_name);
并覆盖了 files[0]
指向的结构。
这是 gdb
的输出,因为我 运行 逐行进行第 273 次迭代:
在执行上述行之前:
p *files[0]
{filename = 0x60b8f0 ".", filename_len = 1, user = 0x60b8b0 "root", user_len = 4}
执行后:
p *files[0]
{filename = 0x746e6175716d7070 <Address 0x746e6175716d7070 out of bounds>,
filename_len = 6340608, user = 0x60c080 "00`", user_len = 70433}
代码附在下面。请注意,这是演示我遇到的问题的最小示例。
如何防止这种情况发生?
#define _GNU_SOURCE
#include <dirent.h>
#include <pwd.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>
#define SIZE 255
typedef struct {
char *filename;
int filename_len;
char *user;
int user_len;
} file_t;
void free_file(file_t *f)
{
if (!f) {
return;
}
if (f->filename) {
free(f->filename);
}
if (f->filename) {
free(f->user);
}
free(f);
}
void free_files(file_t **files, size_t count)
{
if (!files) {
return;
}
for (size_t i = 0; i < count; i++) {
free_file(files[i]);
}
free(files);
}
file_t *parse_entry(struct dirent *entry)
{
file_t *file = malloc(sizeof(file_t));
file->filename_len = asprintf(&file->filename, "%s", entry->d_name);
if (file->filename_len == -1) {
perror("While allocating memory for filename: ");
file->filename = NULL;
goto fail;
}
struct stat info;
if (stat(file->filename, &info)) {
perror("Can't stat file: ");
goto fail;
}
struct passwd *passwd = getpwuid(info.st_uid);
if (passwd) {
file->user_len = asprintf(&file->user, "%s", passwd->pw_name);
} else {
perror("While getting username. Using uid instead.");
file->user_len =
asprintf(&file->user, "%ju", (intmax_t) info.st_uid);
}
if (file->user_len == -1) {
perror("While allocating memory for username: ");
file->user = NULL;
goto fail;
}
return file;
fail:
free(file);
return NULL;
}
file_t **load_files(size_t *count)
{
*count = 0;
size_t size = SIZE;
file_t **files = malloc(SIZE * sizeof(file_t *));
DIR *dir = NULL;
if ((dir = opendir("."))) {
struct dirent *entry = NULL;
while ((entry = readdir(dir)) != NULL) {
if (*count >= size) {
size = size + SIZE;
file_t **tmp =
realloc(files, size * sizeof(file_t *));
if (tmp) {
files = tmp;
free(tmp);
} else {
return NULL;
}
}
file_t *file = parse_entry(entry);
if (file) {
files[(*count)] = file;
} else {
fprintf(stderr,
"Can't get information about %s skipping",
entry->d_name);
continue;
}
// is the structure overwritten yet?
printf("loaded %lu %s %s\n", *count,
files[0]->user,
files[0]->filename);
(*count)++;
}
} else {
return NULL;
}
closedir(dir);
return files;
}
void print_files(file_t **files, size_t count)
{
for (size_t i = 0; i < count; i++) {
printf("%s %s\n", files[i]->user, files[i]->filename);
}
}
int main()
{
size_t file_count;
file_t **files = load_files(&file_count);
if (!files) {
free_files(files, file_count);
return 1;
}
// do other stuff with files
print_files(files, file_count);
free_files(files, file_count);
return 0;
}
在重新分配更大的 files
数组后,您正在重新分配它。由于 files == tmp
(因为您刚刚将 tmp
分配给 files
),您对 free(tmp)
的调用释放了 files
指向的内存。因此,files
是一个指向已释放内存的悬空指针。该内存可能稍后会重新用于其中一个文件的 filename
。
我正在使用 asprintf
动态分配内存并加载字符串以存储有关工作目录中文件的信息。
在函数 parse_entry
的第 273 次(完全一致的)调用中,执行了这一行:file->filename_len = asprintf(&file->filename, "%s", entry->d_name);
并覆盖了 files[0]
指向的结构。
这是 gdb
的输出,因为我 运行 逐行进行第 273 次迭代:
在执行上述行之前:
p *files[0]
{filename = 0x60b8f0 ".", filename_len = 1, user = 0x60b8b0 "root", user_len = 4}
执行后:
p *files[0]
{filename = 0x746e6175716d7070 <Address 0x746e6175716d7070 out of bounds>,
filename_len = 6340608, user = 0x60c080 "00`", user_len = 70433}
代码附在下面。请注意,这是演示我遇到的问题的最小示例。
如何防止这种情况发生?
#define _GNU_SOURCE
#include <dirent.h>
#include <pwd.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>
#define SIZE 255
typedef struct {
char *filename;
int filename_len;
char *user;
int user_len;
} file_t;
void free_file(file_t *f)
{
if (!f) {
return;
}
if (f->filename) {
free(f->filename);
}
if (f->filename) {
free(f->user);
}
free(f);
}
void free_files(file_t **files, size_t count)
{
if (!files) {
return;
}
for (size_t i = 0; i < count; i++) {
free_file(files[i]);
}
free(files);
}
file_t *parse_entry(struct dirent *entry)
{
file_t *file = malloc(sizeof(file_t));
file->filename_len = asprintf(&file->filename, "%s", entry->d_name);
if (file->filename_len == -1) {
perror("While allocating memory for filename: ");
file->filename = NULL;
goto fail;
}
struct stat info;
if (stat(file->filename, &info)) {
perror("Can't stat file: ");
goto fail;
}
struct passwd *passwd = getpwuid(info.st_uid);
if (passwd) {
file->user_len = asprintf(&file->user, "%s", passwd->pw_name);
} else {
perror("While getting username. Using uid instead.");
file->user_len =
asprintf(&file->user, "%ju", (intmax_t) info.st_uid);
}
if (file->user_len == -1) {
perror("While allocating memory for username: ");
file->user = NULL;
goto fail;
}
return file;
fail:
free(file);
return NULL;
}
file_t **load_files(size_t *count)
{
*count = 0;
size_t size = SIZE;
file_t **files = malloc(SIZE * sizeof(file_t *));
DIR *dir = NULL;
if ((dir = opendir("."))) {
struct dirent *entry = NULL;
while ((entry = readdir(dir)) != NULL) {
if (*count >= size) {
size = size + SIZE;
file_t **tmp =
realloc(files, size * sizeof(file_t *));
if (tmp) {
files = tmp;
free(tmp);
} else {
return NULL;
}
}
file_t *file = parse_entry(entry);
if (file) {
files[(*count)] = file;
} else {
fprintf(stderr,
"Can't get information about %s skipping",
entry->d_name);
continue;
}
// is the structure overwritten yet?
printf("loaded %lu %s %s\n", *count,
files[0]->user,
files[0]->filename);
(*count)++;
}
} else {
return NULL;
}
closedir(dir);
return files;
}
void print_files(file_t **files, size_t count)
{
for (size_t i = 0; i < count; i++) {
printf("%s %s\n", files[i]->user, files[i]->filename);
}
}
int main()
{
size_t file_count;
file_t **files = load_files(&file_count);
if (!files) {
free_files(files, file_count);
return 1;
}
// do other stuff with files
print_files(files, file_count);
free_files(files, file_count);
return 0;
}
在重新分配更大的 files
数组后,您正在重新分配它。由于 files == tmp
(因为您刚刚将 tmp
分配给 files
),您对 free(tmp)
的调用释放了 files
指向的内存。因此,files
是一个指向已释放内存的悬空指针。该内存可能稍后会重新用于其中一个文件的 filename
。