c - 对于这种特殊情况，如何检测 C 中的缓冲区溢出，

Question

我认为这段代码应该产生缓冲区溢出错误，但显然，这打印得很好..有没有办法检测它是否溢出？

Valgrind 也没有捡到它......

static void e(void) {
  char buffer[5];
  char data1[] = "abc";
  char data2[] = "de";
  memcpy(buffer, data1, sizeof(data1));
  // strcat appends data2 to buffer and adds '\0' at the end dest
  strcat(buffer, data2);
  //printf("%s\n", buffer);
}

Answer 1

The -fsanitize=address of gcc是您正在寻找的选项。例如:

$ cat test.cpp 
#include <stdio.h>
#include <string.h>

static void e(void) {
  char buffer[5];
  char data1[] = "abc";
  char data2[] = "de";
  memcpy(buffer, data1, sizeof(data1));
  // strcat appends data2 to buffer and adds '\0' at the end dest
  strcat(buffer, data2);
  //printf("%s\n", buffer);
}

int main() {
    e();
}
$ g++ test.cpp -o a -fsanitize=address -g3
$ ./a
=================================================================
==21537== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd1d8c0313 at pc 0x7f96ebedd94b bp 0x7ffd1d8c0260 sp 0x7ffd1d8bfa20
WRITE of size 3 at 0x7ffd1d8c0313 thread T0
    #0 0x7f96ebedd94a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xe94a)
    #1 0x40091b (/tmp/a+0x40091b)
    #2 0x400959 (/tmp/a+0x400959)
    #3 0x7f96ebb2bec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #4 0x400748 (/tmp/a+0x400748)
Address 0x7ffd1d8c0313 is located at offset 163 in frame <e> of T0's stack:
  This frame has 3 object(s):
    [32, 35) 'data2'
    [96, 100) 'data1'
    [160, 165) 'buffer'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
  0x100023b10010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b10020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b10030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b10040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x100023b10050: f1 f1 03 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2
=>0x100023b10060: f2 f2[05]f4 f4 f4 00 00 00 00 00 00 00 00 00 00
  0x100023b10070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b10080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b10090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b100a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023b100b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==21537== ABORTING