Home > Others

Stack crash caused by sprintf. Cost of not using sprintf_s ()

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Problem description:

The engine has been running stably for a long time. It is also stable on all computers.

However, only one notebook does not work. The engine collapsed when running on it.

 

Problem Analysis:
Based on the generated dump file, the analysis result of windbg is:
The stored exception information can be accessed via. ecxr.
(C98.da0): Stack Buffer Overflow-code c0000409 (first/second chance not available)

The frame IP address is damaged. (what is the IP address? Command address? Forgot, the permission should be treated as the base address of the current frame.) It can be seen that the base address of the stack is damaged.

View the call Stack:
... Some system DLL internal functions
Xeyez! Funxeyeloadalldll (),

....

 

The problem should be found in funxeyeloadalldll,
Locate the last line of the function based on the error line prompted by windbg !! It can be seen that when the function returns, the return fails!

View the implementation of this function:

Int funxeyeloadalldll ()
{
Char * stroldenv;
Stroldenv = getenv ("path ");
// Add the plug-in directory to the environment variable so that the system can find the DLL dependencies between plug-ins when loading the DLL.
Char newenv [1024] = {0 };
Sprintf (newenv, "Path = % s;. // external;. // USB", stroldenv );

Tchar Buf [max_path] = {0 };
Tchar * psz;
Getmodulefilename (null, Buf, max_path );
 

......

......
} // Windbg prompts that this row has an error <-------------

After analysis, the problem may occur in the following code. The following Code reads the PATH environment variable of the current system into newenv.
Because sprintf is not a secure version, the stack may be damaged!
Char newenv [1024] = {0 };
Sprintf (newenv, "Path = % s;. // external;. // USB", stroldenv );

Check the PATH variable of the notebook. There are more than 10 rows, and each row has more than 100 letters!

It seems that defensive programming is necessary!
Do not assume the customer's computer!
Fortunately, now we can use the windbg + PDB file for debugging. If not, I don't know when to adjust this bug! Even worse, attackers may be attacked.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More