C编程堆缓冲区溢出
C programming heap buffer overflow
我刚开始编码,有一个初学者问题。所以我有一个二叉树。添加第一个节点后,我想搜索树,看看是否有任何具有相同值的重复节点。但是当我尝试搜索只有一个节点的树时,我不断出错:
这是我的节点:
struct node{
int data;
struct node* left;
struct node* right;};
这是我用来创建第一个节点的函数
struct node* createnode(int num){
struct node *p=malloc(sizeof(struct node*));
p->data=num;
return p;
}
然后我这样添加:
struct node *root;
root=createnode(b);
这是搜索功能
char * search(int num, struct node *p, int dep){
dep=1;
char *result="n";
if(p==NULL){result="n";return result;}
struct node * root;
root=p;
while(root!=NULL){
if(num==root->data){
result= "y";break;
}
if(num>root->data && root->right!=NULL){
root=root->right;dep++;
}
if(num<root->data&&root->left!=NULL){
root=root->left;dep++;
}
if(num >root->data&&root->right==NULL){
result= "n";break;
}
if(num <root->data&&root->left==NULL){
result="n";break;
}
}
return result;
}
这是我得到的错误
==6841== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040000e000 at pc 0x400eb5 bp 0x7fff3d5302c0 sp 0x7fff3d5302b0
READ of size 8 at 0x60040000e000 thread T0
#0 0x400eb4 (/.autofs/ilab/ilab_users/xy139/night+0x400eb4)
#1 0x402911 (/.autofs/ilab/ilab_users/xy139/night+0x402911)
#2 0x7f2196abdb14 (/usr/lib64/libc-2.17.so+0x21b14)
#3 0x400a78 (/.autofs/ilab/ilab_users/xy139/night+0x400a78)
0x60040000e000 is located 8 bytes to the right of 8-byte region [0x60040000dff0,0x60040000dff8)
allocated by thread T0 here:
#0 0x7f2196e74129 (/usr/lib64/libasan.so.0.0.0+0x16129)
#1 0x402071 (/.autofs/ilab/ilab_users/xy139/night+0x402071)
#2 0x402899 (/.autofs/ilab/ilab_users/xy139/night+0x402899)
#3 0x7f2196abdb14 (/usr/lib64/libc-2.17.so+0x21b14)
Shadow bytes around the buggy address:
0x0c00ffff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 fa
=>0x0c00ffff9c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==6841== ABORTING
感谢所有愿意帮忙的人!!!
struct node *p = malloc(sizeof(struct node*));
您需要为结构本身分配足够的内存,而不是指向结构的指针。
struct node *p = malloc(sizeof(struct node));
如果你 de-reference 目标指针并将它的大小作为参数传递给 malloc 就更容易记住这样做:
struct node *p = malloc(sizeof(*p));
如果您要在以后的程序修订中更改 p 的数据类型,则不需要将相应的参数更新为 malloc。
一个典型的错误是分配内存不是为了结构的大小,而是为了它的指针。 Synchronizer showed the 他回答的问题:
struct node *p = malloc(sizeof(struct node));
我还应该补充一点,malloc 可以 return 一个潜在的空指针 (link),这就是为什么在分配内存之后应该在取消引用之前检查它是否为空:
struct node* createnode(int num)
{
struct node *p = malloc(sizeof(struct node));
if (p != NULL) // <=
{
p->data = num;
}
return p;
}
费了那么多时间才找到错误,实在是太可惜了。也许,使用静态分析器可以帮助更早地发现错误。 Here你可以看到在大项目中如何犯类似的错误。
我刚开始编码,有一个初学者问题。所以我有一个二叉树。添加第一个节点后,我想搜索树,看看是否有任何具有相同值的重复节点。但是当我尝试搜索只有一个节点的树时,我不断出错: 这是我的节点:
struct node{
int data;
struct node* left;
struct node* right;};
这是我用来创建第一个节点的函数
struct node* createnode(int num){
struct node *p=malloc(sizeof(struct node*));
p->data=num;
return p;
}
然后我这样添加:
struct node *root;
root=createnode(b);
这是搜索功能
char * search(int num, struct node *p, int dep){
dep=1;
char *result="n";
if(p==NULL){result="n";return result;}
struct node * root;
root=p;
while(root!=NULL){
if(num==root->data){
result= "y";break;
}
if(num>root->data && root->right!=NULL){
root=root->right;dep++;
}
if(num<root->data&&root->left!=NULL){
root=root->left;dep++;
}
if(num >root->data&&root->right==NULL){
result= "n";break;
}
if(num <root->data&&root->left==NULL){
result="n";break;
}
}
return result;
}
这是我得到的错误
==6841== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040000e000 at pc 0x400eb5 bp 0x7fff3d5302c0 sp 0x7fff3d5302b0
READ of size 8 at 0x60040000e000 thread T0
#0 0x400eb4 (/.autofs/ilab/ilab_users/xy139/night+0x400eb4)
#1 0x402911 (/.autofs/ilab/ilab_users/xy139/night+0x402911)
#2 0x7f2196abdb14 (/usr/lib64/libc-2.17.so+0x21b14)
#3 0x400a78 (/.autofs/ilab/ilab_users/xy139/night+0x400a78)
0x60040000e000 is located 8 bytes to the right of 8-byte region [0x60040000dff0,0x60040000dff8)
allocated by thread T0 here:
#0 0x7f2196e74129 (/usr/lib64/libasan.so.0.0.0+0x16129)
#1 0x402071 (/.autofs/ilab/ilab_users/xy139/night+0x402071)
#2 0x402899 (/.autofs/ilab/ilab_users/xy139/night+0x402899)
#3 0x7f2196abdb14 (/usr/lib64/libc-2.17.so+0x21b14)
Shadow bytes around the buggy address:
0x0c00ffff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 fa
=>0x0c00ffff9c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==6841== ABORTING
感谢所有愿意帮忙的人!!!
struct node *p = malloc(sizeof(struct node*));
您需要为结构本身分配足够的内存,而不是指向结构的指针。
struct node *p = malloc(sizeof(struct node));
如果你 de-reference 目标指针并将它的大小作为参数传递给 malloc 就更容易记住这样做:
struct node *p = malloc(sizeof(*p));
如果您要在以后的程序修订中更改 p 的数据类型,则不需要将相应的参数更新为 malloc。
一个典型的错误是分配内存不是为了结构的大小,而是为了它的指针。 Synchronizer showed the
struct node *p = malloc(sizeof(struct node));
我还应该补充一点,malloc 可以 return 一个潜在的空指针 (link),这就是为什么在分配内存之后应该在取消引用之前检查它是否为空:
struct node* createnode(int num)
{
struct node *p = malloc(sizeof(struct node));
if (p != NULL) // <=
{
p->data = num;
}
return p;
}
费了那么多时间才找到错误,实在是太可惜了。也许,使用静态分析器可以帮助更早地发现错误。 Here你可以看到在大项目中如何犯类似的错误。