[Gambas-user] [Fwd: Gambas3 Pointers example] signal #6

Demosthenes Koptsis demosthenesk at ...626...
Mon Jan 10 00:59:06 CET 2011


i attach the Projects in case you want to see them.


On Mon, 2011-01-10 at 01:54 +0200, Demosthenes Koptsis wrote:
> so i manage to make it work...
> 
> i saw an example that said to use PATH_MAX+1
> https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/760-BSI.html
> 
> so i did
> 
> Example 1) ----------------------
> ' Gambas module file
> 'char *getcwd(char *buf, size_t size);
> Extern getcwd(buf As Pointer, size As Integer) As Pointer In "libc:6"
> 
>  Public Sub Main()
> 
>  Dim pFunc As Pointer
>  Dim pBuf As Pointer
>  Dim sWorkingDirectory As String
> 
>  'getcwd
>  pFunc = Alloc(4097)
>  pBuf = Alloc(4097)
> 
>  pFunc = getcwd(pBuf, 4097)
> 
>  sWorkingDirectory = Str@(pFunc)
>  Print sWorkingDirectory
>  Free(pFunc)
> ' Free(pBuf)
>  Print sWorkingDirectory
> 
>  End
> ----------------------
> 
> a) note in 1st example that 
> Print sWorkingDirectory
> Free(pFunc)
> Print sWorkingDirectory
> 
> first print gives the correct output
> /home/user/Documents/Development/Gambas3/Pointers7
> 
> and the second after Free(pFunc) gives this
> �s&^@^@^@^@^@^@^@^@^@ocuments/Development/Gambas3/Pointers7
> 
> b) if i use Free(pBuf)
> i get signal #6
> and
> *** glibc detected *** Pointers7: double free or corruption (!prev):
> 0x087c94c0 ***
> 
> Example 2 --------------------
> ' Gambas module file
> 'char *get_current_dir_name(void);
> Extern get_current_dir_name() As Pointer In "libc:6"
> 
>  Public Sub Main()
> 
>  Dim pFunc As Pointer
>  Dim sWorkingDirectory As String
> 
>  'get_current_dir_name
>  pFunc = Alloc(4097)
> 
>  pFunc = get_current_dir_name()
> 
>  sWorkingDirectory = Str@(pFunc)
>  Print sWorkingDirectory
>  Free(pFunc)
> 
>  End
> -----------------------
> here i get correct results
> but if i use Free(pFunc) i get signal #11
> 
> 
> 
> Example 3 ---------------------------
> ' Gambas module file
>  ' Gambas module file
>  'char *getwd(char *buf);
>  Extern getwd(buf As Pointer) As Pointer In "libc:6"
> 
>  Public Sub Main()
> 
>  Dim pBuf As Pointer
>  Dim pFunc As Pointer
>  Dim sWorkingDirectory As String
> 
>  'getwd
>  pBuf = Alloc(4097)
>  pFunc = Alloc(4097)
> 
>  pFunc = getwd(pBuf)
> 
>  sWorkingDirectory = Str@(pFunc)
> ' Free(pBuf)
>  Print sWorkingDirectory
>  Free(pFunc)
>  Print sWorkingDirectory
> 
>  End
> --------------------------
> 
> here the same with example1.
> Free(pBuf)
> Free(pFunc)
> raises both signal #6
> and
> *** glibc detected *** Pointers5: double free or corruption (!prev):
> 0x09b0e4a8 ***
> 
> also
> Print sWorkingDirectory
> Free(pFunc)
> Print sWorkingDirectory
> 
> first Print is correct
> second after Free is not correct
> 
> /home/user/Documents/Development/Gambas3/Pointers5
> �s&^@^@^@^@^@^@^@^@^@ocuments/Development/Gambas3/Pointers5
> 
> 
> 
> On Mon, 2011-01-10 at 01:16 +0200, Demosthenes Koptsis wrote:
> > 1) Ok, i found why this function is dangerous.
> > https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/760-BSI.html
> > "Since the user cannot specify the length of the buffer passed to
> > getwd(), use of this function is discouraged. The length of a pathname
> > described in {PATH_MAX} is file system-dependent and may vary from one
> > mount point to another, or might even be unlimited. It is possible to
> > overflow this buffer in such a way as to cause applications to fail or
> > possible system security violations."
> > 
> > But here i make a test no real life project.
> > 
> > 2) So, i found in /usr/include/linux/limits.h
> > Line Number: 12
> > #define PATH_MAX        4096 /* # chars in a path name including nul */
> > 
> > is this the value?
> > 
> > i tried this value in my example with no success, i make somewhere else
> > the mistake.
> > 
> > ---------------
> > ' Gambas module file
> > ' Gambas module file
> > 'char *getwd(char *buf);
> > Extern getwd(buf As Pointer) As Pointer In "libc:6"
> > 
> > Public Sub Main()
> > 
> > Dim pBuf As Pointer
> > Dim pFunc As Pointer
> > Dim sWorkingDirectory As String
> > 
> > 'getwd
> > pBuf = Alloc(4096)
> > pFunc = Alloc(4096)
> > 
> > pFunc = getwd(pBuf)
> > 
> > sWorkingDirectory = Str@(pFunc)
> > Free(pFunc)
> > Free(pBuf)
> > Print sWorkingDirectory
> > 
> > End
> > ---------------
> > 
> > signal #6
> > 
> > ----------------
> > *** glibc detected *** Pointers5: double free or corruption (!prev):
> > 0x0893f498 ***
> > ======= Backtrace: =========
> > /lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x17b591]
> > /lib/tls/i686/cmov/libc.so.6(+0x6cde8)[0x17cde8]
> > /lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0x17fecd]
> > Pointers5[0x805ed2e]
> > Pointers5[0x8076a6a]
> > Pointers5[0x8050a99]
> > Pointers5[0x80513d8]
> > Pointers5[0x80689cd]
> > /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x126bd6]
> > Pointers5[0x804b151]
> > ======= Memory map: ========
> > 00110000-00263000 r-xp 00000000 08:04
> > 2019753    /lib/tls/i686/cmov/libc-2.11.1.so
> > 00263000-00264000 ---p 00153000 08:04
> > 2019753    /lib/tls/i686/cmov/libc-2.11.1.so
> > 00264000-00266000 r--p 00153000 08:04
> > 2019753    /lib/tls/i686/cmov/libc-2.11.1.so
> > 00266000-00267000 rw-p 00155000 08:04
> > 2019753    /lib/tls/i686/cmov/libc-2.11.1.so
> > 00267000-0026a000 rw-p 00000000 00:00 0 
> > 00428000-00438000 r-xp 00000000 08:04
> > 1906544    /usr/local/lib/gambas3/gb.eval.so.0.0.0
> > 00438000-00439000 r--p 0000f000 08:04
> > 1906544    /usr/local/lib/gambas3/gb.eval.so.0.0.0
> > 00439000-0043b000 rw-p 00010000 08:04
> > 1906544    /usr/local/lib/gambas3/gb.eval.so.0.0.0
> > 0043b000-0043c000 rw-p 00000000 00:00 0 
> > 0046e000-0046f000 r-xp 00000000 00:00 0          [vdso]
> > 006c9000-006ce000 r-xp 00000000 08:04
> > 688690     /usr/lib/libffi.so.5.0.10
> > 006ce000-006cf000 ---p 00005000 08:04
> > 688690     /usr/lib/libffi.so.5.0.10
> > 006cf000-006d0000 r--p 00005000 08:04
> > 688690     /usr/lib/libffi.so.5.0.10
> > 006d0000-006d1000 rw-p 00006000 08:04
> > 688690     /usr/lib/libffi.so.5.0.10
> > 00739000-0075d000 r-xp 00000000 08:04
> > 2019761    /lib/tls/i686/cmov/libm-2.11.1.so
> > 0075d000-0075e000 r--p 00023000 08:04
> > 2019761    /lib/tls/i686/cmov/libm-2.11.1.so
> > 0075e000-0075f000 rw-p 00024000 08:04
> > 2019761    /lib/tls/i686/cmov/libm-2.11.1.so
> > 00aa5000-00ac2000 r-xp 00000000 08:04 1995027    /lib/libgcc_s.so.1
> > 00ac2000-00ac3000 r--p 0001c000 08:04 1995027    /lib/libgcc_s.so.1
> > 00ac3000-00ac4000 rw-p 0001d000 08:04 1995027    /lib/libgcc_s.so.1
> > 00bca000-00bcc000 r-xp 00000000 08:04
> > 2019759    /lib/tls/i686/cmov/libdl-2.11.1.so
> > 00bcc000-00bcd000 r--p 00001000 08:04
> > 2019759    /lib/tls/i686/cmov/libdl-2.11.1.so
> > 00bcd000-00bce000 rw-p 00002000 08:04
> > 2019759    /lib/tls/i686/cmov/libdl-2.11.1.so
> > 00c25000-00c3a000 r-xp 00000000 08:04
> > 2019772    /lib/tls/i686/cmov/libpthread-2.11.1.so
> > 00c3a000-00c3b000 r--p 00014000 08:04
> > 2019772    /lib/tls/i686/cmov/libpthread-2.11.1.so
> > 00c3b000-00c3c000 rw-p 00015000 08:04
> > 2019772    /lib/tls/i686/cmov/libpthread-2.11.1.so
> > 00c3c000-00c3e000 rw-p 00000000 00:00 0 
> > 00dc3000-00dc7000 r-xp 00000000 08:04
> > 1906676    /usr/local/lib/gambas3/gb.debug.so.0.0.0
> > 00dc7000-00dc8000 r--p 00003000 08:04
> > 1906676    /usr/local/lib/gambas3/gb.debug.so.0.0.0
> > 00dc8000-00dc9000 rw-p 00004000 08:04
> > 1906676    /usr/local/lib/gambas3/gb.debug.so.0.0.0
> > 00eeb000-00f06000 r-xp 00000000 08:04 1996732    /lib/ld-2.11.1.so
> > 00f06000-00f07000 r--p 0001a000 08:04 1996732    /lib/ld-2.11.1.so
> > 00f07000-00f08000 rw-p 0001b000 08:04 1996732    /lib/ld-2.11.1.so
> > 08048000-0807e000 r-xp 00000000 08:04 1785292    /usr/local/bin/gbx3
> > 0807e000-0807f000 r--p 00035000 08:04 1785292    /usr/local/bin/gbx3
> > 0807f000-08084000 rw-p 00036000 08:04 1785292    /usr/local/bin/gbx3
> > 08084000-08086000 rw-p 00000000 00:00 0 
> > 08932000-08953000 rw-p 00000000 00:00 0          [heap]
> > b7500000-b7521000 rw-p 00000000 00:00 0 
> > b7521000-b7600000 ---p 00000000 00:00 0 
> > b768a000-b76c9000 r--p 00000000 08:04
> > 737484     /usr/lib/locale/en_US.utf8/LC_CTYPE
> > b76c9000-b77e7000 r--p 00000000 08:04
> > 737483     /usr/lib/locale/en_US.utf8/LC_COLLATE
> > b77e7000-b77e9000 rw-p 00000000 00:00 0 
> > b77f1000-b77f2000 r--p 00000000 08:04
> > 737500     /usr/lib/locale/en_US.utf8/LC_NUMERIC
> > b77f2000-b77f3000 r--p 00000000 08:04
> > 735917     /usr/lib/locale/en_US.utf8/LC_TIME
> > b77f3000-b77f4000 r--p 00000000 08:04
> > 735918     /usr/lib/locale/en_US.utf8/LC_MONETARY
> > b77f4000-b77f5000 r--p 00000000 08:04
> > 752258     /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
> > b77f5000-b77f6000 r--p 00000000 08:04
> > 737523     /usr/lib/locale/en_US.utf8/LC_PAPER
> > b77f6000-b77f7000 r--p 00000000 08:04
> > 737455     /usr/lib/locale/en_US.utf8/LC_NAME
> > b77f7000-b77f8000 r--p 00000000 08:04
> > 735919     /usr/lib/locale/en_US.utf8/LC_ADDRESS
> > b77f8000-b77f9000 r--p 00000000 08:04
> > 735920     /usr/lib/locale/en_US.utf8/LC_TELEPHONE
> > b77f9000-b77fa000 r--p 00000000 08:04
> > 737398     /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
> > b77fa000-b7801000 r--s 00000000 08:04
> > 1619066    /usr/lib/gconv/gconv-modules.cache
> > b7801000-b7802000 r--p 00000000 08:04
> > 735921     /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
> > b7802000-b7806000 rw-p 00000000 00:00 0 
> > bfa53000-bfa68000 rw-p 00000000 00:00 0          [stack]
> > 
> > ----------------
> > 
> > i saw that the first line says
> > *** glibc detected *** Pointers5: double free or corruption (!prev)
> > 
> > and i rem the one Free().
> > 
> > now i get
> > --------------
> > gbx3: warning: 1 allocation(s) non freed.
> > 
> > ��m^@^@^@^@^@^@^@^@^@ocuments/Development/Gambas3/Pointers5
> > --------------
> > 
> > but no crash.
> > 
> > i played with the values of Alloc and i found that in my case a 29 bytes
> > are ok but with one Free() or else i get signal #11.
> > 
> > is there a bug with
> >  Free(pBuf)
> >  Free(pFunc)
> > ?
> > 
> > 3) On the other hand, i have a general question.
> > How to deal with char *pointers when their length is not known?
> > 
> > 4) For example i try to use
> > 'char *get_current_dir_name(void);
> > Extern get_current_dir_name() As Pointer In "libc:6"
> > 
> > again with no success. 
> > 
> > in manuall says:
> > get_current_dir_name() will malloc(3) an array big enough to hold the
> > absolute pathname of the current working directory.
> > 
> > in my example:
> > 
> > ---------------------
> > ' Gambas module file
> > 'char *get_current_dir_name(void);
> > Extern get_current_dir_name() As Pointer In "libc:6"
> > 
> >  Public Sub Main()
> > 
> >  Dim pFunc As Pointer
> >  Dim sWorkingDirectory As String
> > 
> >  'get_current_dir_name
> >  pFunc = Alloc(4096)
> > 
> >  pFunc = get_current_dir_name()
> > 
> >  sWorkingDirectory = Str@(pFunc)
> > ' Free(pFunc)
> >  Print sWorkingDirectory
> > 
> > 
> >  End
> > ---------------------
> > 
> > if i use
> > Free(pFunc)
> > 
> > i get signal #11
> > 
> > gambas3-svn3418, ubuntu 10.04
> > 
> > 
> > On Sun, 2011-01-09 at 21:37 +0100, Benoît Minisini wrote: 
> > > > so what can i do for
> > > > 
> > > > char *getwd(char *buf);
> > > > 
> > > > ?
> > > > 
> > > 
> > > You must know C programming first, and understand how getwd works. By typing 
> > > 'man getwd', you will learn that you must not use that function, it is 
> > > dangerous and so deprecated.
> > > 
> > > Then you will read that buf must be a pointer to a memory allocation of 
> > > PATH_MAX bytes. You must find the value of this constant inside the standard C 
> > > header files.
> > > 
> > > SizeOf(gb.String) is 4 (on 32 bits system). It is the number of bytes used by 
> > > Gambas to store a pointer to a Gambas string. This is the reason why you get a 
> > > crash.
> > > 
> > > Regards,
> > > 
> > 
> 

-- 
Regards,
Demosthenes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Pointers.tar.bz2
Type: application/x-bzip-compressed-tar
Size: 6894 bytes
Desc: not available
URL: <http://lists.gambas-basic.org/pipermail/user/attachments/20110110/f9250046/attachment.bin>


More information about the User mailing list