I’ve problem with this function using winsock2. When program leave this function in debug mode I receive 2 statements (only during exiting this function):
“Run-Time Check Failure #2 - Stack around the variable 'filePath' was corrupted.”
“Run-Time Check Failure #2 - Stack around the variable 'recBuf' was corrupted.”
I’m programmin开发者_如何学Pythong in VS2008 C++ (console application). In Release mode this statements do not exist.
So I’m waiting for reply and thanks a lot for your help ;)
Function:
#include "stdafx.h"
#include "server.h"
bool Server::fileReceive()
{
char recBuf[MAX_PACKET_BUFOR] ={0};
char filePath[100] = {0};
int size = 0;
int var = 0;
char key = 0;
int tmp=0;
FILE *fPtr = NULL;
if(recv(clientSocket, recBuf, MAX_PACKET_SIZE, 0) == 0)
{
cerr << "Receive ERROR" << endl;
system("pause");
return false;
}
if(strcmp(recBuf, START_HEADER) != 0)
return false;
if(send(clientSocket, ACK, 3, 0 ) == SOCKET_ERROR)
{
cerr << "Send ERROR" << endl;
system("pause");
return false;
}
if(recv(clientSocket, recBuf, MAX_PACKET_SIZE, 0) == 0)
{
cerr << "Receive ERROR" << endl;
system("pause");
return false;
}
if(send(clientSocket, ACK, 3, 0 ) == SOCKET_ERROR)
{
cerr << "Send ERROR" << endl;
system("pause");
return false;
}
strcpy_s(filePath, sizeof(recBuf), recBuf);
cout << "Przyslano plik o nazwie: \"" << filePath << "\"";
memset(recBuf, 0, sizeof(recBuf));
if(recv(clientSocket, recBuf, MAX_PACKET_SIZE, 0) == 0)
{
cerr << "Receive ERROR" << endl;
system("pause");
return false;
}
if(send(clientSocket, ACK, 3, 0 ) == SOCKET_ERROR)
{
cerr << "Send ERROR" << endl;
system("pause");
return false;
}
size = atoi(recBuf);
cout << " i rozmiarze: "<< size << "B,\nCo chcesz zrobic?" << endl;
cout << "1 - odbierz i zmien nazwe\n2- odbierz i zapisz do katalogu programu\n3 - odrzuc" << endl;
key = _getch();
if(key == '1' || key == '2')
{
if(key == '1')
{
cout << "Podaj sciezke dla nowego pliku w formie: Dysk:\\sciezka\\plik.rozszerzenie" << endl;
cout << "(wpisz sama nazwe, a plik zostanie umieszczony w katalogu programu)" << endl;
cin >> filePath;
}
if(fopen_s(&fPtr, filePath, "wb") != 0)
return false;
cout << "Odbieranie w toku...\nProsze czekac" << endl;
while(size > 0)
{
memset(recBuf, 0, MAX_PACKET_BUFOR);
tmp = 0;
if(size <= 200000)
cout << "break" << endl;
if(size>=MAX_PACKET_SIZE)
{
do
{
var = recv(clientSocket, recBuf, MAX_PACKET_SIZE, 0);
if(var == 0)
{
cerr << "Receive ERROR" << endl;
system("pause");
size = 0;
}
else
{
tmp += var;
fwrite(recBuf, var, 1, fPtr);
}
}while(tmp < MAX_PACKET_SIZE && size != 0);
if(send(clientSocket, ACK, 3, 0 ) == SOCKET_ERROR)
{
cerr << "Send ERROR" << endl;
system("pause");
return false;
}
}
else
{
while(tmp != size && size != 0)
{
var = recv(clientSocket, recBuf, size, 0);
if(var == 0)
{
cerr << "Receive ERROR" << endl;
system("pause");
size = 0;
}
else
{
tmp += var;
fwrite(recBuf, var, 1, fPtr);
}
}
if(send(clientSocket, ACK, 3, 0 ) == SOCKET_ERROR)
{
cerr << "Send ERROR" << endl;
system("pause");
return false;
}
}
size -= tmp;
size = (size < 0) ? 0 : size;
}
memset(filePath, 0, sizeof(filePath));
memset(recBuf, 0, MAX_PACKET_BUFOR);
fclose(fPtr);
}
return true;
}
stdafx.h
#pragma once
#include "targetver.h"
#include <stdio.h>
#include <tchar.h>
#include <winsock2.h>
#include <iostream>
#include <cstdlib>
#include <conio.h>
using namespace std;
#define START_HEADER "FileSend"
#define MAX_PACKET_SIZE 100000
#define MAX_PACKET_BUFOR 100010
#define ACK "ACK"
The bug is in the following line
strcpy_s(filePath, sizeof(recBuf), recBuf);
Here you are stating the size of filePath
is sizeof(recBuf)
which is not the case. The size of filePath
is 100 while sizeof(recBuf)
is 1000010. The result is a buffer overflow on filePath
and the error message you are seeing.
Additionally the code appears to assume that the recv
call will properly add a null terminator to the recBuf
buffer. This is not the case and if a 0 is not added into the buffer the strcpy_s
function will also potentially fail.
精彩评论