This paper gives a detailed description of the C language of the Lost pointer, analysis of its concept, principle and detection methods. Share to everyone for your reference. Specifically as follows:
In general, in the field of computer programming, a stray pointer, or a dangling pointer, or a wild pointer, refers to a pointer that does not point to any legitimate object.
If the object being pointed to is released or retracted, but the pointer is not modified so that the pointer still points to the memory address that has been reclaimed, this pointer is called the stray pointer. If the operating system reassigned this portion of the freed memory to another process, and the original program references the current stray pointer, it would have unpredictable consequences. Because the memory that the stray pointer is pointing to now contains completely different data. Typically, if the original program continues to write data to the memory address to which the stray pointer is pointing, the data that is not relevant to the original program will be corrupted, resulting in unexpected program errors. This type of program error makes it difficult to find the cause of the problem, usually resulting in a segment error (on the Linux system) and general protection errors (in the Windows system). The system's stability may be affected if the operating system's memory allocator allocates the data areas that have already been overwritten.
Some programming languages allow an uninitialized pointer to exist, and such pointers are wild pointers. The errors caused by the wild pointers are very similar to the stray pointers, but the problem of wild pointers is more likely to be found.
Causes of stray pointers
In many programming languages, such as C, when an object is deleted from memory, or when a stack frame is deleted, the value of the associated pointer is not changed. The pointer still points to the original memory address, and may now be in use by another process, even if the reference has been deleted.
A direct example, as follows:
{
char *cp = NULL;
/* ... *
/{
char C;
cp = &c;
} /* C falls out of scope *////
* CP is now dangling pointer/*
The solution to the above problem is to assign a value of 0 (NULL) to the CP immediately before the partial program exits. Another option is to ensure that the CP is no longer used until it is initialized.
Stray pointers often appear in the promiscuous use of malloc () and free () library calls: When the pointer points to the memory released, the pointer is lost. As in the previous example, one way to avoid this error is to reset the value of the pointer to null after releasing its reference, as follows:
#include <stdlib.h>
{
char *cp = malloc (a_const);
*
/FREE (CP); /* CP now becomes a dangling pointer
/CP = NULL; /* CP is now not dangling//////////////
A common mistake is when you return the address of a local variable based on the stack, and once the function is returned, the space assigned to those variables is reclaimed, and they have a "junk value".
int * func (void)
{
int num = 1234;
/* ... */return
#
}
After invoking Func, an attempt to read the value of num from the pointer may still be able to return the correct value (1234), but any subsequent function calls will overwrite the original stack with num allocated space. At this point, it is not correct to read the value of num from this pointer. If you want to make a pointer to num return the correct num value, you need to declare the variable as static.
The generation of wild pointers
The wild pointer refers to a pointer that has not yet been initialized. Strictly speaking, each pointer in the programming language is a wild pointer before initialization.
A problem is caused by the use of pointers, which are generally not initialized. Most compilers can detect this problem and warn the user.
int f (int i)
{
char* cp; CP is the wild pointer
static char* SCP;//SCP is not a wild pointer, static variables are automatically initialized to 0 and retain their values
//Use this feature may be considered bad programming style
}
Security vulnerabilities caused by stray pointers
As with cache overflow errors, errors such as stray pointers/wild pointers often lead to security vulnerabilities. For example, if a pointer is used to invoke a virtual function, because the vtable pointer is overwritten, a different address (pointing to the Exploited code) may be accessed. Alternatively, if the pointer is used to write to memory, other data structures may be corrupted. Once the pointer becomes a stray pointer, even if the memory is read-only, it can still cause the information to leak (if the data of interest is in the next data structure, just allocated in this memory) or access rights are increased (if the currently unavailable memory is precisely used for security detection).
Avoid errors with stray pointers
There is a popular way to avoid stray pointers-that is, using smart pointers (pointer). The smart pointer uses reference counting to reclaim objects . Some other techniques include the Tombstone method and the Locks-and-keys method.
In addition, you can use the diehard memory allocator, which eliminates stray pointer errors that resemble other memory errors (illegal or two free memory).
Another approach is to Boehm garbage collectors, a conservative method of garbage collection that replaces the standard memory allocation functions in C and C + +. This method eliminates the error of the stray pointer completely, and replaces the garbage collector to complete the object's collection by removing the memory-freed function.
Like the Java language, errors such as stray pointers do not occur because there is no mechanism for explicitly reallocating memory in Java. And the garbage collector will only reallocate memory when the object's reference count is zero.
Detection of stray pointers
In order to find the lost pointer, a universal programming technique- Once the pointer points to the memory space is released, immediately put the pointer to a null pointer or an illegal address . When the empty pointer is re referenced, the program will stop immediately, which will prevent data corruption or unforeseen consequences. This will make it easier to discover and solve the errors that are generated by the next programming process. This technique does not work as it should when multiple copies of the pointer are duplicated.
Some debuggers automatically overwrite data that has been freed in a specific pattern, such as the 0xDEADBEEF (Microsoft Visual C + + debugger, for example, according to which type is released using 0xcc,0xcd or 0xDD). This method prevents data that has been freed from being reused by using data that is not available. The effect of this approach is very significant (this pattern helps the program to distinguish which memory is just released).
Some tools, such as Valgrind, Mudflap, or LLVM, can be used to detect the use of stray pointers.
In general, the lost pointer on the security of C program is huge, is a C programmer must be careful to deal with a problem. I believe that this article in the C program design has a certain reference value.