Why is stack smashing occuring in this C code? - c

I apologize in advance for my lack of knowledge regarding stack smashing in C.
I'm on ubuntu 12.04 editing with Code::Blocks.
I have written a simple C program that causes stack smashing, but internet searches have turned up little useful advice as to why this is happening.
Example C code:
#include<stdio.h>
struct point3
{float x, y, z;};
struct quadPolygon
{struct point3 vert1, vert2, vert3, vert4;};
int writeLine(const char * objString)
{FILE *file; file = fopen("aPlane.obj","a+"); fprintf(file,"%s",objString); fclose(file); return 0;};
int writeOBJ(struct quadPolygon myPoly)
{
char objString[] = "# plane def\n"; writeLine(objString);
snprintf(objString, 128, "v %f %f %f \n", myPoly.vert1.x, myPoly.vert1.y, myPoly.vert1.z); writeLine(objString);
snprintf(objString, 128, "v %f %f %f \n", myPoly.vert2.x, myPoly.vert2.y, myPoly.vert2.z); writeLine(objString);
snprintf(objString, 128, "v %f %f %f \n", myPoly.vert3.x, myPoly.vert3.y, myPoly.vert3.z); writeLine(objString);
snprintf(objString, 128, "v %f %f %f \n", myPoly.vert4.x, myPoly.vert4.y, myPoly.vert4.z); writeLine(objString);
char objStringSmooth[] = "s off\n"; writeLine(objStringSmooth);
char objStringFace[] = "f 1 2 3 4\n"; writeLine(objStringFace);
return 0;
};
int main()
{
struct quadPolygon myPoly1 =
{
.vert1.x=1.0, .vert1.y=-1.0, .vert1.z=0.0,
.vert2.x=1.0, .vert2.y=1.0, .vert2.z=0.0,
.vert3.x=-1.0, .vert3.y=1.0, .vert3.z=0.0,
.vert4.x=-1.0, .vert4.y=-1.0, .vert4.z=0.0
};
writeOBJ(myPoly1);
return 0;
};
Why is the stack smashing and how could I change my code to avoid this? Is this related to using pointers incorrectly in the code above? I'm a little new to C as you can probably tell, but have some programming experience with other languages.
I have read that "Stack Smashing is actually a protection mechanism used by gcc to detect buffer overflow attacks" and "It means that you wrote to some variables on the stack in an illegal way, most likely as the result of a Buffer overflow".
Thank you for any responses/answers.
Update -
Based on Evan's comment, here is revised code that works. Perhaps this may help someone else.
#include<stdio.h>
struct point3
{float x, y, z;};
struct quadPolygon
{struct point3 vert1, vert2, vert3, vert4;};
int writeOBJ(struct quadPolygon myPoly)
{
FILE *file; file = fopen("aPlane.obj","a+");
fprintf(file,"%s","# plane def\n");
char objString[128];
snprintf(objString, sizeof(objString), "v %f %f %f \n", myPoly.vert1.x, myPoly.vert1.y, myPoly.vert1.z);
fprintf(file,"%s",objString);
snprintf(objString, sizeof(objString), "v %f %f %f \n", myPoly.vert2.x, myPoly.vert2.y, myPoly.vert2.z);
fprintf(file,"%s",objString);
snprintf(objString, sizeof(objString), "v %f %f %f \n", myPoly.vert3.x, myPoly.vert3.y, myPoly.vert3.z);
fprintf(file,"%s",objString);
snprintf(objString, sizeof(objString), "v %f %f %f \n", myPoly.vert4.x, myPoly.vert4.y, myPoly.vert4.z);
fprintf(file,"%s",objString);
char objStringSmooth[] = "s off\n";
fprintf(file,"%s",objStringSmooth);
char objStringFace[] = "f 1 2 3 4\n";
fprintf(file,"%s",objStringFace);
fclose(file);
return 0;
};
int main()
{
struct quadPolygon myPoly1 =
{
.vert1.x=1.0, .vert1.y=-1.0, .vert1.z=0.0,
.vert2.x=1.0, .vert2.y=1.0, .vert2.z=0.0,
.vert3.x=-1.0, .vert3.y=1.0, .vert3.z=0.0,
.vert4.x=-1.0, .vert4.y=-1.0, .vert4.z=0.0
};
writeOBJ(myPoly1);
return 0;
};
Thanks again everyone.

This is where your problem is:
char objString[] = "# plane def\n"; writeLine(objString);
snprintf(objString, 128, "v %f %f %f \n", myPoly.vert1.x, myPoly.vert1.y, myPoly.vert1.z); writeLine(objString);
snprintf(objString, 128, "v %f %f %f \n", myPoly.vert2.x, myPoly.vert2.y, myPoly.vert2.z); writeLine(objString);
snprintf(objString, 128, "v %f %f %f \n", myPoly.vert3.x, myPoly.vert3.y, myPoly.vert3.z); writeLine(objString);
snprintf(objString, 128, "v %f %f %f \n", myPoly.vert4.x, myPoly.vert4.y, myPoly.vert4.z); writeLine(objString);
objString is an array with strlen("# plane def\n") + 1 characters of space. Then you use snprintf on that buffer passing 128 (which is WAY too large).
I would re-write it this way:
writeLine("# plane def\n");
char objString[128]
snprintf(objString, sizeof(objString), "v %f %f %f \n", myPoly.vert1.x, myPoly.vert1.y, myPoly.vert1.z); writeLine(objString);
snprintf(objString, sizeof(objString), "v %f %f %f \n", myPoly.vert2.x, myPoly.vert2.y, myPoly.vert2.z); writeLine(objString);
snprintf(objString, sizeof(objString), "v %f %f %f \n", myPoly.vert3.x, myPoly.vert3.y, myPoly.vert3.z); writeLine(objString);
snprintf(objString, sizeof(objString), "v %f %f %f \n", myPoly.vert4.x, myPoly.vert4.y, myPoly.vert4.z); writeLine(objString);
SIDE POINT:
Why are you opening and closing the file for every line written? That is incredibly inefficient...
Would be better to open the file once at program start, write all your lines, then close it when finished. This will also make the code simpler.

you can confirm that you are getting a valid FILE* by fopen..
by explicit check of NULL pointer.

The problem is with the following line:
char objString[] = "# plane def\n";
This only allocates just enough space for the string "# plane def\n", and later on, you write longer strings into it (using snprintf).
Since you're already using the constant value 128, how about:
char objString[128];
strcpy(objString, "# plane def\n");
writeLine(objString);
/* continue as before */
Note that strcpy can smash the stack too, so make sure the destination has enough space for whatever you're copying in.

As it is already answered by Evan Teran. But I would like to suggest few ways to detect such problems :
Try compiling using gcc -fno-stack-protector stack.c and check whether it still gives you stack smash detected.
use -g flag for gnu-debugger. As gcc -g stack.c and then gdb a.out -> run. It will stop execution where it got problem. Then you can type where in gdb to see which line of code is root of the problem.

Related

Append Array from different .txt file

I have 63 .txt file with 26 headers lines and then 19 columns of float data.
I would like to read all the files and store (in row) the first 6 columns of the .txt files (x,y,z,u,v,w). Then for each .txt file I would like to append these data in a new row.
This is the code that I did but after the first j (j=1) then the script crash because the sizes of the arrays are not the same, indeed for some reasons during the first iteration it is skipping not 26 but 52 lines (so also the first 26 of numbers that I want), while in the second is (in a correct way skiiping only 26 headers line).
inpDir = "\\ftac\Folder\CD";
files = dir(fullfile(inpDir, '*.txt'));
n_file = size(files,1);
for j=1:n_file
fid = fopen(files(j).name, 'r');
data = textscan(fid, '%f %f %f %f %f %f %f %f %f %f %f %f %f %f %f %f %f %f %f', 'HeaderLines', 26, 'Delimiter',' ');
fclose(fid);
x(j, :) = data{1}'; % x coordinate
y(j, :) = data{2}'; % y coordinate
z(j, :) = data{3}'; % y coordinate
u(j, :) = data{4}';% u velocity
v(j, :) = data{5}'; % v velocity
w(j, :) = data{6}'; % w velocity
end
How can I solve this issue? Thanks in advance

Q: About reading data files using fscanf()

Am using Turbo C in a DOS emulator (Dosbox). In the following lines, I am trying to read integer and float data but only get the first (int) field. Have found much Q & A on the subject of reading files using fscanf() and, specifically, with space-delimited data but relevant info was scant or missing (mostly from the questions). Here is code demonstrating the problem:
#include <stdio.h>
int index;
float rtime, volts;
char infilename[10];
int *pti;
float *ptx;
float *pty;
FILE *infp;
void main(void)
{
infp = fopen("data1", "r");
pti = &index;
ptx = &rtime;
pty = &volts;
fscanf(infp, "%d %6.3f %6.3f", &index, &rtime, &volts);
printf("%3d %6.3f %6.3f\n", index, rtime, volts);
}
Here is the first line from the data file:
37 261.100 0.996
printf gives the following output:
37 0.000 0.000
Any obvious goofs? thx
The format %6.3f is incorrect for scanf(). You probably want %f, or possibly %7f. You cannot specify the number of decimals in a scanf() format.

The output of ceil() and floor() in C language is odd

I am doing my homework to realize a C programe and during my work there is one step that I need to get the interger part of the double type numbers. So I choose ceil() or floor() in to realize this. But the output is unpredictable and far from expected.
The whole program is the following :
/*
************************************************************************
Includes
************************************************************************
*/
#include <stdio.h>
#include <stdlib.h>
#include <gsl/gsl_rng.h>
#include <time.h>
#include <math.h>
/* Solvent Particle Propersities*/
typedef struct
{
double vx,vy,rx,ry ; /* velocity AND position */
double cell; /* index of grid */
}solvent_p;
/* Cell Propersities*/
typedef struct
{
double vcm_x,vcm_y ; /* center of mass velocity */
int number; /* number of solvent in the cell */
double roation_angle; /* roation_angle of the cell */
}cell_p;
/* periodic boundary condition judging and adjusting fuction PBC */
void PBC(solvent_p *sol)
{
double L = 20.0; // box size 20
if(sol->rx >20) sol->rx=sol->rx-L;
if(sol->rx < 0) sol->rx=sol->rx+L;
if(sol->ry >20) sol->ry=sol->ry-L;
if(sol->ry < 0) sol->ry=sol->ry+L;
}
int main(int argc, char **argv)
{
// Randome setup generates random numbers from GSL functions
const gsl_rng_type * T;
gsl_rng * r;
T = gsl_rng_default;
gsl_rng_default_seed = ((unsigned long)(time(NULL))); //设seed值为当前时间
r = gsl_rng_alloc (T);
solvent_p solvent[4000];
int i,j,k,index=0;
cell_p grid[400];
double alpha=90.0; //roation angle
/* Iniinitializing solvent
* All vx=0
* half vy = sqrt(3) and half vy=-sqrt(3) to make momentum zero and another requirement is the overall energy is 6000 equals energy of temperature=1 with 4000 solvent 3NkT/2 ,assuming mass of solvent = 1 ,which is all a test quantity
* rx and ry are random number generated by GSL library
* cell=20*(ry+rx) is an index of which cell the solvent is in
*/
for(i=0;i<=3999;i++)
{
solvent[i].vx=0.0;
if(i<=1999)
solvent[i].vy=sqrt(3);
else
solvent[i].vy=-sqrt(3);
solvent[i].rx =20.0 * gsl_rng_uniform_pos(r);
solvent[i].ry =20.0 * gsl_rng_uniform_pos(r);
//printf("%f \t %f \n",solvent[i].rx,solvent[i].ry);
solvent[i].cell=20*(floor(solvent[i].ry))+floor(solvent[i].rx)+1;
}
// grid setting up
for (i=0;i<=399;i++)
{
grid[i].vcm_x=0;
grid[i].vcm_y=0;
grid[i].number=0;
grid[i].roation_angle=0.0;
}
/* Begining Simulation Work
*
* Fist process is preparing the system to equilibrium for 10000 processes
*
* the whole process involving two steps steaming and collision and the two steps are conducted one by one in our simulation
* time duration for steaming is 0.1 which is assigned for Molecular Dynamics and time duration for collision is ignored
*
*
*/
for(i=0;i<=9999;i++)
{
double temp;
double delta_t_MD=0.1; //time step
temp=gsl_rng_uniform_pos(r);
double rand_rx = (temp < 0.5) ? temp : ((-1) * temp ); // randomshift rx;
temp=gsl_rng_uniform_pos(r);
double rand_ry = (temp < 0.5) ? temp : ((-1) * temp ); // randomshift ry
//steaming
for(j=0;j<=3999;j++)
{
//printf("%d \n",j);
printf("1 :%d \t %f \t %f \n",j,solvent[j].rx,solvent[j].ry);
solvent[j].rx=solvent[j].rx+solvent[j].vx * delta_t_MD;
solvent[j].ry=solvent[j].ry+solvent[j].vy * delta_t_MD;
printf("2: %d \t %f \t %f \n",j,solvent[j].rx,solvent[j].ry);
//randomshift
solvent[j].rx=solvent[j].rx+rand_rx;
solvent[j].ry=solvent[j].ry+rand_ry;
printf("3: %d \t %f \t %f \n",j,solvent[j].rx,solvent[j].ry);
// periodic boundary condition
PBC(&solvent[j]);
printf("4: %d \t %f \t %f \n",j,solvent[j].rx,solvent[j].ry);
solvent[j].cell=20*(ceil(solvent[j].ry)-1)+ceil(solvent[j].rx);
printf("5: %d \t %f \t %f \t %f \t %f \n",j,solvent[j].rx,solvent[j].ry,ceil(solvent[j].rx),ceil(solvent[j].ry));
index = (int)(solvent[j].cell);
//printf("%d \t %d \t %f \t %f \t %f \n",j,index,solvent[j].cell,ceil(solvent[j].rx),ceil(solvent[j].ry));
if ((index>=0) &&(index<=400))
{
grid[index].vcm_x=grid[index].vcm_x+solvent[i].vx;
grid[index].vcm_y=grid[index].vcm_y+solvent[i].vy;
grid[index].number=grid[index].number+1;
}
}
// caculating vcm
for (k=0;k<=399;k++)
{
if (grid[k].number >= 1)
{
grid[k].vcm_x=grid[k].vcm_x/grid[k].number;
grid[k].vcm_y=grid[k].vcm_y/grid[k].number;
}
double temp;
temp=gsl_rng_uniform_pos(r);
grid[k].roation_angle = (temp < 0.5) ? alpha : ((-1) * alpha );
}
//collsion
}
gsl_rng_free (r); // free RNG
return 0;
}
Sorry it is some extent long so I did not put in first.And something did not finished but the program framework is set up.
my programe is like this:
printf("4: %d \t %f \t %f \n",j,solvent[j].rx,solvent[i].ry);
solvent[j].cell=20*(floor(solvent[j].ry))+floor(solvent[j].rx)+1;
printf("5: %d \t %f \t %f \t %f \t %f \n",j,solvent[j].rx,solvent[i].ry,floor(solvent[j].rx),floor(solvent[j].ry));
And although something as I wanted something more is wrong and below is I choose some parts of the output:
4: 3993 3.851240 17.047031
5: 3993 3.851240 17.047031 3.000000 9.000000
although floor(solvent[j].rx) is right but floor(solvent[j].ry) is totally wrong.
And the final result of my program is
Segmentation fault (core dumped)
------------------
(program exited with code: 139)
How to fix this one? Is there anything I use was wrong?
And to further test the problem I tried ceil() function in and the program and result is like this
program:
printf("4: %d \t %f \t %f \n",j,solvent[j].rx,solvent[i].ry);
solvent[j].cell=20*(ceil(solvent[j].ry)-1)+ceil(solvent[j].rx);
printf("5: %d \t %f \t %f \t %f \t %f \n",j,solvent[j].rx,solvent[i].ry,ceil(solvent[j].rx),ceil(solvent[j].ry));
result:
2: 3999 14.571205 2.837654
4: 3999 14.571205 2.837654
5: 3999 14.571205 2.837654 15.000000 15.000000
So use the nearest output as an example to illustrate my desire result is:
a= 14.571205, ceil(a)=15.00
b= 2.837654 , ceil(b)=3.00 not the 15.000 in the output
And the problem worsening is that when I just use a and b to test ceil() everything seems perfect:
program:
#include <stdio.h>
#include <math.h>
int main()
{
double a= 14.571205;
double b= 2.837654 ;
printf("%f \t %f \n",ceil(a),ceil(b));
return 0;
}
output:
15.000000 3.000000
I am using GCC in Linux Ubuntu.
==============================================================================
The problem has been solved.
The real fatal problem is here
if ((index>=0) &&(index<=400))
{
grid[index].vcm_x=grid[index].vcm_x+solvent[i].vx;
grid[index].vcm_y=grid[index].vcm_y+solvent[i].vy;
grid[index].number=grid[index].number+1;
}
}
Both solvent[i].vy and solvent[i].vx should be changed i for j.
Just as #Jon and #Blckknght #Eric Lippert have pointed out.
And I obvious get in the wrong trap and mislead #ouah and #Blckknght and In fact, the output sentences do have problem but they do not caused the prorame to crash only the out of boundary will do that.
Thank you ALL!
And I do like to share Eric Lippert 's comment which is powerful and insightful:
More generally, the problem you have is called "select isn't broken" by experienced programmers. That is, you have done something completely wrong, you cannot figure out what you did wrong, and so you conclude that a piece of basic, easy infrastructure written by experts and tested extensively is wrong. I assure you, floor and ceil do exactly what they are supposed to do. They are not wrong. The problem lies somewhere in your code, not in the standard library. – Eric Lippert
Your array is declared as:
solvent_p solvent[4000];
but you have this loop:
for(i=0;i<=9999;i++)
with this function call inside:
printf("1 :%d \t %f \t %f \n",j,solvent[j].rx,solvent[i].ry);
which means you are accessing out-of-bounds array elements.
EDIT:
OP test case has been edited to fix the out-of-bound accesses.
My second suggestion is to check index value (which is used to index grid array) never exceeds the number of elements of grid array after this assignment: index = (int)(solvent[j].cell).
I'm pretty sure the issue is with the indexes you're using. In the statement in question:
printf("5: %d \t %f \t %f \t %f \t %f \n",j,solvent[j].rx,solvent[i].ry,floor(solvent[j].rx),floor(solvent[j].ry));
you are printing the ry value of solvent[i] but the floor of the ry value of solvent[j]. I suspect that you want to be using the same index in both places (though I'm not sure which index you want).

c - fscanf segmentation fault

Really strange problem with fscanf. It seems as if it can't find the file. Heres the code:
char obs_file[255];
FILE *obs_fp;
strcpy(obs_file, "/aber/dap/cetaceans/data/observers_1.txt");
obs_fp = fopen(obs_file, "r");
date_time t;
fscanf(obs_fp, "%d %d %d %d %d %d\n", &t.day, &t.mth, &t.yr, &t.hrs, &t.mns, &t.scs); //This line runs fine
obs_head.obs->time = t;
printf("%d %d %d %d %d %d\n", t.day, t.mth, t.yr, t.hrs, t.mns, t.scs);
while(feof(obs_fp) == 0) {
char id[5];
char a[7];
char b[7];
location loc;
double lng = 0.0, lat = 0.0;
fscanf(obs_fp, "%s %lf %lf", id, &lat, &lng); //Seg fault here on first run of loop
loc.lat = lat;
loc.lng = lng;
add_obs_node(make_obs_node(id, loc, t));
}
File to be read:
05 11 2014 14 53 00
AB01 52.408 -4.217
It seems like the file pointer has changed somewhere around the while statement, I would understand if I was reading over the end of file, but it fails while there are definitely lines left. Also, I know Im opening the file right, as the first fscanf runs fine.
Any ideas?
Wrong use of feof() and unlimited fscanf("%s"...
feof() reports if EOF occurred due to previous IO, not if it is about to occur.
Use instead
char id[5];
double lng = 0.0, lat = 0.0;
while(fscanf(obs_fp, "%4s%lf%lf", id, &lat, &lng) == 3) {
loc.lat = lat;
loc.lng = lng;
add_obs_node(make_obs_node(id, loc, t));
}
I suspect original code failed on the 2nd iteration. Assume the last data in the file was "AB01 52.408 -4.217\n". fscanf(obs_fp, "%s %lf %lf" would scan up to the "\n" and put "\n" back into stdin as it is not part of a double. EOF flag is not set. The use of feof() signals no EOF. So fscanf(obs_fp, "%s %lf %lf" happens again, but no data is save in id, as "%s" consume leading white-space but has not non-white-space to save. Code does not check the fscanf() return value (bad), but assumes good data in id, which may be junk. Then add_obs_node() is called with an invalid string id.
Other failure mechanisms could have occurred too - need to see more code.
Bottom line: Check fscanf() results. Limit string input.
Minor: Note that the spaces between "%d %d" are not needed, but OK to have. The final "\n" is also OK but not needed. It is not simply consuming the following '\n', but any and all following white-space.
if (6 != fscanf(obs_fp, "%d%d%d%d%d%d",
&t.day, &t.mth, &t.yr, &t.hrs, &t.mns, &t.scs)) {
Handle_BadData();
}

C: Converting strings of doubles in a module (AKA in the kernel)

I'd love to use the outdated "atoi" kind of stuff, but it turns out I don't have it in kernel space.
I have this code in the write method of my module. Writes are being controlled by me in user space, and it so happens that the user will always write something in this format:
"0.9 9.5 7.6 "
Hence - I have this code to parse it:
ssize_t write_info( struct file *filp, const char __user *buff, unsigned long len, void *data )
{
char *seedid;
char *low_in;
char *high_in;
char *dropper;
unsigned long long seedid_var;
double d_1;
double d_2;
printk(KERN_INFO "Whaddup u writin'?\n");
dropper = kstrdup(buff, 0);
seedid = strsep(&dropper, " ");
printk("HERE IS: %s\n\n", seedid);
sscanf(seedid, "%lld", &seedid_var);
printk("AND BACK AGAIN: %lld\n\n\n", seedid_var);
low_in = strsep(&dropper, " ");
printk("HERE IS: %s\n\n", low_in);
sscanf(low_in, "%f", &d_1);
printk("AND BACK AGAIN: %f\n\n", d_1);
high_in = strsep(&dropper, " ");
printk("HERE IS: %s\n\n", high_in);
sscanf(high_in, "%f", &d_2);
printk("AND BACK AGAIN: %f\n\n", d_2);
...
I then trigger my module by echo'ing on the procfile it creates (calling my write method) like this:
echo "0.9 9.8 3.4 " > name_of_my_proc
With dmesg:
[ 2211.808474] Whaddup u writin'?
[ 2211.808505] HERE IS: 0.9
[ 2211.808508]
[ 2211.808514] AND BACK AGAIN: 0
[ 2211.808516]
[ 2211.808517]
[ 2211.808520] HERE IS: 9.8
[ 2211.808522]
[ 2211.808524] AND BACK AGAIN: %f
[ 2211.808526]
[ 2211.808529] HERE IS: 3.4
[ 2211.808531]
[ 2211.808533] AND BACK AGAIN: %f
When printing back to the kernel...nothing performs like I'd like! My 0.9 gets killed off to 0 (is that not a legit long long value, if so that would make sense). Most importantly, my doubles don't get converted - it just prints the character %f. What can I do to make them print as I typed them?
Thanks
You are using wrong scan codes.
Scan code: Data type:
%d int
%ld long
%f float
%lf double
Also note that long long is an integer data type and cannot store fractional numbers.

Resources