c - free() crashing on char array, but only if the array holds exactly 7 elements -


i have simple c program supposed read message sent program, unix named pipe , show user.

the way program following :

  1. reads incomming message size pipe
  2. allocates enough memory incoming message, plus byte null terminator
  3. reads incoming data allocated memory
  4. appends null terminator , returns

the code following :

void* receivefrompipe(char* pipe, int* stuffsize){     printf("opening pipe\n");     int fd = open(pipe,o_rdonly);     printf("pipe opened write side\n");     read(fd,stuffsize,sizeof(stuffsize));     printf("incoming message size : %d\n",*stuffsize);     void* stuffpointer = calloc((*stuffsize) + 1,1);//allocate stuffsize bytes     printf("allocated memory stuff\n");     read(fd,stuffpointer,*stuffsize);     printf("read stuff pipe\n");     close(fd);     printf("closed pipe\n");     ((int*)stuffpointer)[*stuffsize] = 0x00;     return stuffpointer; }

and code in main function simple read-free loop, :

int main(void){     char* message;     int msgsize = -1;     while(1){         message = (char*)receivefrompipe("./psender0",&msgsize);         printf("got :: %s\n",message);         fflush(stdout);         free(message);     } }

this work on kind of message, unless message has 6 bytes (7 appended null terminator). example, exact program "helloworld!" message output :

opening pipe pipe opened write side incoming message size : 11 allocated memory stuff read stuff pipe closed pipe got :: helloworld! opening pipe

which expected behaviour, message 123456, output turns to

opening pipe pipe opened write side incoming message size : 6 allocated memory stuff read stuff pipe closed pipe got :: 123456 *** error in `./receiver': free(): invalid next size (fast): 0x0000008869995420 *** ======= backtrace: ========= /usr/lib/libc.so.6(+0x72bdd)[0x7f12da646bdd] /usr/lib/libc.so.6(+0x792ec)[0x7f12da64d2ec] /usr/lib/libc.so.6(+0x7a6d1)[0x7f12da64e6d1] ./receiver(+0xb13)[0x8867c07b13] /usr/lib/libc.so.6(__libc_start_main+0xea)[0x7f12da5f44ca] ./receiver(+0x9ba)[0x8867c079ba] ======= memory map: ======== 8867c07000-8867c09000 r-xp 00000000 08:05 6030989                        /home/andre/ei/so/pipestest/receiver 8867e08000-8867e09000 r--p 00001000 08:05 6030989                        /home/andre/ei/so/pipestest/receiver 8867e09000-8867e0a000 rw-p 00002000 08:05 6030989                        /home/andre/ei/so/pipestest/receiver 8869995000-88699b6000 rw-p 00000000 00:00 0                              [heap] 7f12d4000000-7f12d4021000 rw-p 00000000 00:00 0 7f12d4021000-7f12d8000000 ---p 00000000 00:00 0 7f12da3bd000-7f12da3d3000 r-xp 00000000 08:02 545366                     /usr/lib/libgcc_s.so.1 7f12da3d3000-7f12da5d2000 ---p 00016000 08:02 545366                     /usr/lib/libgcc_s.so.1 7f12da5d2000-7f12da5d3000 r--p 00015000 08:02 545366                     /usr/lib/libgcc_s.so.1 7f12da5d3000-7f12da5d4000 rw-p 00016000 08:02 545366                     /usr/lib/libgcc_s.so.1 7f12da5d4000-7f12da771000 r-xp 00000000 08:02 526947                     /usr/lib/libc-2.25.so 7f12da771000-7f12da970000 ---p 0019d000 08:02 526947                     /usr/lib/libc-2.25.so 7f12da970000-7f12da974000 r--p 0019c000 08:02 526947                     /usr/lib/libc-2.25.so 7f12da974000-7f12da976000 rw-p 001a0000 08:02 526947                     /usr/lib/libc-2.25.so 7f12da976000-7f12da97a000 rw-p 00000000 00:00 0 7f12da97a000-7f12da99d000 r-xp 00000000 08:02 526937                     /usr/lib/ld-2.25.so 7f12dab34000-7f12dab36000 rw-p 00000000 00:00 0 7f12dab9c000-7f12dab9d000 rw-p 00000000 00:00 0 7f12dab9d000-7f12dab9e000 r--p 00023000 08:02 526937                     /usr/lib/ld-2.25.so 7f12dab9e000-7f12dab9f000 rw-p 00024000 08:02 526937                     /usr/lib/ld-2.25.so 7f12dab9f000-7f12daba0000 rw-p 00000000 00:00 0 7ffe4c462000-7ffe4c483000 rw-p 00000000 00:00 0                          [stack] 7ffe4c495000-7ffe4c498000 r--p 00000000 00:00 0                          [vvar] 7ffe4c498000-7ffe4c49a000 r-xp 00000000 00:00 0                          [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall] aborted (core dumped)

i can't find problem in code, , can't imagine why fails on 6 char messages, , appreciate help

this line:

((int*)stuffpointer)[*stuffsize] = 0x00;

you casting stuffpointer integer pointer, array access using sizeof int calculate write 0 integer value.

this writing outside boundaries of array, cause problem seeing.

edit: fix issue, cast (char *), or make stuffpointer char * begin with.

also 

read(fd,stuffsize,sizeof(stuffsize));

should be

read(fd,stuffsize,sizeof(*stuffsize));

as sizeof(stuffsize) size of pointer, may not same size of integer.


Comments

Post a Comment

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

i'm using class based views in django , never specify url in ajax calls , omit action parameter in form because know these requests go through post method of class based view. notice view - profile page make many requests depending on user updating on page - post method become convoluted , if/else mess example: def post(self, request, *args, **kwargs): # handle user changing available date if request.post.get('availabledate') != none: self.updateavailabledate(request) return jsonresponse({'result':'success'}) if request.post.get('newprojectname') != none: creative_user = creativeuserprofile.objects.get(id = request.user.id) project = project.create_project(creative_user, request.post['newprojectname']) project.save() return jsonresponse({'projectid': project.id }) if request.post.get('projectimage') != none , request.files['file']: proj...
Read more

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

i'm doing micro-optimization on performance critical part of code , came across sequence of instructions (in at&t syntax): add %rax, %rbx mov %rdx, %rax mov %rbx, %rdx i thought had use case xchg allow me shave instruction , write: add %rbx, %rax xchg %rax, %rdx however, dimay found agner fog's instruction tables , xchg 3 micro-op instruction 2 cycle latency on sandy bridge, ivy bridge, broadwell, haswell , skylake. 3 whole micro-ops , 2 cycles of latency! 3 micro-ops throws off 4-1-1-1 cadence , 2 cycle latency makes worse original in best case since last 2 instructions in original might execute in parallel. now... cpu might breaking instruction micro-ops equivalent to: mov %rax, %tmp mov %rdx, %rax mov %tmp, %rdx where tmp anonymous internal register , suppose last 2 micro-ops run in parallel latency 2 cycles. given register renaming occurs on these micro-architectures, though, doesn't make sense me done way. why wouldn't register renamer ...
Read more

c# - Asp.net web api : redirect unauthorized requst to forbidden page -

im trying redirect unauthorized request forbidden page instead i'm getting forbidden page in response body , how can fix ? here's startup class : app.createperowincontext(storecontext.create); app.createperowincontext<applicationusermanager>(applicationusermanager.create); app.createperowincontext<applicationsigninmanager>(applicationsigninmanager.create); app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, expiretimespan = timespan.fromdays(30), }); app.useexternalsignincookie(defaultauthenticationtypes.externalcookie); app.usetwofactorsignincookie(defaultauthenticationtypes.twofactorcookie, timespan.fromminutes(5)); app.usetwofactorrememberbrowsercookie(defaultauthenticationtypes.twofactorrememberbrowsercookie); the method im trying reach : [httpget] [authorize(roles = "admin")] public string getcurrentusername() { return userman...
Read more