application stack trace interpretation using mdb - c

Can someone please help me with interpreatation of this stack trace:
Loading modules: [ libumem.so.1 libc.so.1 libuutil.so.1 ld.so.1 ]
> $c
libc.so.1`strlen+0xc(80b37ba, fe679d2c, fe679d00, 0)
libc.so.1`snprintf+0x74(fe67d970, 1388, 80b37b8, efef9f68, 80b379d, fe679e30)
> 80b37ba::whatis
80b37ba is unknown
> fe679d2c::whatis
fe679d2c is unknown
> fe679d00::whatis
fe679d00 is unknown
strlen function gets one argument, but in this stack trace I see 3 addresses ? What is the meaning of them ?
regards

The debugger doesn't manage to interpret most of it.
The debugger may not know how many parameters a function gets. So it prints more. But you can ignore the extra parameters.
The parts that do make sense show that snprintf was called, and then call strlen. This is probably due to %s in the format string. The strlen parameter is similar (not identical, I don't know why), to snprintf's 3rd parameter.
So probably some code does something like snprintf("%d %s\n", number, string).
You can find the actual format string at fe67d970, and it will probably let you identify who called it (unless you use the same format string everywhere).

Related

How to Fix Format String bug

A practical example of the bug "in action" is the following:
Attacker sends: /hello-%08x.%08x.%08x.%08x
Server logs:
[17:17:28] Consoled: 'hello-082aeefc.00000131.0061b64c.00000011' run
from 192.168.0.3:32768
Update:
The bug is caused by the logging function NetManager_LogMessage which
takes the text to dump, adds a timestamp (using snprintf) and then
passes the whole string to the function File_printf without the needed
format argument (%s) and how to fix it?
What i have done wrong and why its happening?
I debug in IDA and when i test to Crash the Server. It returns the Memory Invalid access error.

Suppress messages from underlying C-function in R

In a script I often call the function Rcplex(), which prints "CPLEX environment opened" and "Closed CPLEX environment" to the console. Since the function is called rather frequently, it prints this very often, which is quite annoying. Is there a way to suppress this? I tried sink(), suppressWarnings/Messages or invisible(catch.output()) but none of these did the trick. I proceeded to check the code of Rcplex() and found where the printing to the console happens. Rcplex() calls an underlying C-function (Rcplex.c). In the code of rcplex.c I located the commands which cause the printing:
REprintf("CPLEX environment opened\n");
REprintf("Closed CPLEX environment\n");
Is there a way to capture the output from REprintf() so that it does not get printed to the R-console? One way would obviously be to mess around with the Rcplex.c file and delete the corresponding lines. However, this would not be a very clean solution, which is why I'm asking for another way to capture the output from C-functions.
You had problems using sink() and capture.output() normally because sink() does not redirect output from REprintf, as we see in comments from the source code for REprintf:
/* =========
* Printing:
* =========
*
* All printing in R is done via the functions Rprintf and REprintf
* or their (v) versions Rvprintf and REvprintf.
* These routines work exactly like (v)printf(3). Rprintf writes to
* ``standard output''. It is redirected by the sink() function,
* and is suitable for ordinary output. REprintf writes to
* ``standard error'' and is useful for error messages and warnings.
* It is not redirected by sink().
However, we can use type = "message" to deal with this; from help("capture.output"):
Messages sent to stderr() (including those from message, warning and
stop) are captured by type = "message". Note that this can be "unsafe" and should only be used with care.
First I make a C++ function with the same behavior you're dealing with:
#include <Rcpp.h>
using namespace Rcpp;
// [[Rcpp::export]]
NumericVector example_function(NumericVector x) {
REprintf("CPLEX environment opened\n");
REprintf("Closed CPLEX environment\n");
// As mentioned by Dirk Eddelbuettel in the comments,
// Rcpp::Rcerr goes into the same REprintf() stream:
Rcerr << "Some more stuff\n";
return x;
}
If I call it from R normally, I get:
example_function(42)
CPLEX environment opened
Closed CPLEX environment
Some more stuff
[1] 42
However, I could instead do this:
invisible(capture.output(example_function(42), type = "message"))
[1] 42
And while the output is is printed to the console, the message is not.
Warning
I would be remiss if I didn't mention the warning from the help file I quoted above:
Note that this can be "unsafe" and should only be used with care.
The reason is that this will eliminate all output from actual errors as well. Consider the following:
> log("A")
Error in log("A") : non-numeric argument to mathematical function
> invisible(capture.output(log("A"), type = "message"))
>
You may or may not want to therefore send the captured output to a text file in case you have to diagnose something that went wrong. For example:
invisible(capture.output(log("A"), type = "message", file = "example.txt"))
Then I don't have to see the message in the console, but if I need to check example.txt afterward, the message is there:
Error in log("A") : non-numeric argument to mathematical function

memcpy segment fault, what's wrong with this code?

my software is a Web Crawler,when I get the body from the http response, it cracks.
resp->body = Malloc(content_len);
memcpy(resp->body, body_start, content_len); //THIS IS THE FAULTY LINE
Malloc is a wrapper function of malloc,so resp->body is not NULL, and content_len is the length of memory area begin with body_start,but its content is "PK\003\004\024", "\003" is ETX(end of text), "\004" is EOT(end of transmission),"\024" is device control 4,I really don't know what 's the meaning of these strange chracters,why does it crack?
The body is ZIP encoded, from the ZIP wikipedia page;
Magic number
none, though PK\003\004, PK\005\006 (empty archive), or PK\007\008 (spanned archive) are common.
You'll need to check the header and unzip the body before reading it.
As for the segmentation fault, any of the 3 parameters to memcpy could be the culprit, code showing their initialisation is required to spot the exact problem. If you're using any of the string functions (strlen/strcpy) on the body in a non shown part of the code, they're likely to break with binary input like this.

Why is wszName incorrect?

WCHAR wszName;
In the debugger displays multiple "squares" and each addressed 0xcdcd
printf("Description: %ws\n", pIfRow->wszName); //prints nothing
Is there a reason it can not get the name from XP?
(All other info in MIB_IFTABLE is correct)
Thanks
0xcdcdcdcd indicates that wszName was never initialized. It is the default value of heap-allocated memory in the Debug build. Review the code that copies a string into wszName, it is not working. Presumably the call to GetIfTable() failed or you're iterating the table wrong.

How do you use Ruby/DL? Is this right?

I am trying to write an interface between RSPEC (ruby flavoured BDD) and a Windows application. The application itself is written in an obscure language, but it has a C API to provide access. I've gone with Ruby/DL but am having difficulties getting even the most basic call to a DLL method to work. Here is what I have so far, in a file called gt4r.rb:
require 'dl/import'
module Gt4r
extend DL::Importable
dlload 'c:\\gtdev\\r321\\bin\\gtvapi'
# GTD initialization/termination functions
extern 'int GTD_init(char *[], char *, char *)'
extern 'int GTD_initialize(char *, char *, char *)'
extern 'int GTD_done(void)'
extern 'int GTD_get_error_message(int, char **)'
end
My reading so far suggests that this is all I need to get going, so I wrote up a RSPEC example:
require 'gt4r'
##test_environment = "INCLUDE=C:\\graphtalk\\env\\aiadev\\config\\aiadev.ini"
##normal_user = "BMCHARGUE"
describe Gt4r do
it 'initializes' do
rv = Gt4r.gTD_initialize ##normal_user, ##normal_user, ##test_environment
rv.should == 0
end
end
And when run...
C:\code\GraphTalk>spec -fs -rgt4r gt4r_spec.rb
Gt4r
- initializes (FAILED - 1)
1)
'Gt4r initializes' FAILED
expected: 0,
got: 13 (using ==)
./gt4r_spec.rb:9:
Finished in 0.031 seconds
1 example, 1 failure
The return value (13) is an actual return code, meaning an error, but when I try to add the gTD_get_error_message call to my RSPEC, I can't get the parameters to work.
Am I heading in the right direction and can anyone point to the next thing I can try?
Thanks,
Brett
A follow up to this question, showing the part that fails when I try to get the error message from my target library:
require 'gt4r'
##test_environment = "INCLUDE=C:\\graphtalk\\env\\aiadev\\config\\aiadev.ini"
##normal_user = "BMCHARGUE"
describe Gt4r do
it 'initializes' do
rv = Gt4r.gTD_initialize ##normal_user, ##normal_user, ##test_environment
Gt4r.gTD_get_error_message rv, #msg
#msg.should == ""
rv.should == 0
end
end
I expect the error message to be returned in #msg, but when run I get the following:
Gt4r
(eval):5: [BUG] Segmentation fault
ruby 1.8.6 (2008-08-11) [i386-mswin32]
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
And this if I use a symbol (:msg) instead:
C:\code\GraphTalk\gt4r_dl>spec -fs -rgt4r gt4r_spec.rb
Gt4r
- initializes (ERROR - 1)
1)
NoMethodError in 'Gt4r initializes'
undefined method `to_ptr' for :msg:Symbol
(eval):5:in `call'
(eval):5:in `gTD_get_error_message'
./gt4r_spec.rb:9:
Finished in 0.046 seconds
1 example, 1 failure
Clearly I am missing something about passing parameters between ruby and C, but what?
The general consensus is you want to avoid DL as much as possible. The (english) documentation is quite sketchy and the interface is difficult to use for anything but trivial examples.
Ruby native C interface is MUCH easier to program against. Or you could use FFI, which fills a similiar niche to DL, originally comes from the rubinius project and has recently been ported to "normal" ruby. It has a nicer interface and is much less painful to use:
http://blog.headius.com/2008/10/ffi-for-ruby-now-available.html
The return value (13) is an actual
return code, meaning an error, but
when I try to add the
gTD_get_error_message call to my
RSPEC, I can't get the parameters to
work.
It might help posting the error instead of the code that worked :)
Basically, once you start having to deal with pointers as in (int, char **), things get ugly.
You need to allocate the data pointer for msg to be written to, since otherise C will have nowhere to write the error messages. Use DL.mallo.

Resources