I am facing an error whenever I call a recvfrom() function for UDP in server side:
buffer overflow detected ***: terminated Aborted
What is the meaning of this error? I am not able to understand.
unsigned int len;
int rv,i;
int tmp;
//char msg[200],command=0;
unsigned short *Fptr;
float Float_Temp;
//make socket blocking
FD_ZERO(&readnbs);
FD_SET(g_iUDP_datalogger_soc, &readnbs);
g_UDP_Blocktimervalue.tv_sec = 0;
g_UDP_Blocktimervalue.tv_usec = UDP_REC_BLOCKTIME;
rv = select(g_iUDP_datalogger_soc + 1, &readnbs, NULL, NULL, &g_UDP_Blocktimervalue);
len = sizeof(g_UDP_ClientAddr);
if (rv == 1) {
printf(" \n\n\n\n\n rv=%d\n\n\n\n",rv);
tmp = recvfrom(g_iUDP_datalogger_soc, &tmp, SIZE_UDP_MSG, 0,(struct sockaddr *) &g_UDP_ClientAddr, &len);
tmp = recvfrom(g_iUDP_datalogger_soc, [YOUR BUFFER ?] , SIZE_UDP_MSG, 0,(struct sockaddr *)...
You're trying to buffer the received data into a single int (tmp) object, which you are also using as the return value from the recvfrom(), and even not checking in any way - either for error, nor for received data.
You are asking recvfrom() to read SIZE_UDP_MSG number of bytes into tmp, which is an int. You did not show what SIZE_UDP_MSG is defined as, but if SIZE_UDP_MSG > sizeof(int), you are going to be writing bytes past the bounds of tmp into surrounding memory, corrupting the memory. That is a buffer overflow.
Perhaps you meant to receive the bytes into your (commented out) msg buffer instead?
char msg[SIZE_UDP_MSG];
tmp = recvfrom(..., msg, SIZE_UDP_MSG, ...);
Related
// Copy from kernel to user.
// Copy len bytes from src to virtual address dstva in a given page table.
// Return 0 on success, -1 on error.
int
copyout(pagetable_t pagetable, uint64 dstva, char *src, uint64 len)
{
uint64 n, va0, pa0;
while(len > 0){
va0 = PGROUNDDOWN(dstva);
pa0 = walkaddr(pagetable, va0);
if(pa0 == 0)
return -1;
n = PGSIZE - (dstva - va0);
if(n > len)
n = len;
memmove((void *)(pa0 + (dstva - va0)), src, n);
len -= n;
src += n;
dstva = va0 + PGSIZE;
}
return 0;
}
The function used in xv6 kernel for copying out data from the kernel to user-space process accepts a pagetable as argument and uses that pagetable to access the physical address behind that user-space address. However, neither copyout() nor walkaddr() performs any locking operation on the page table. How are race conditions avoided in this case? Is it possible for the page table to change after getting the physical address and before the actual reading and cause issues? And how is it avoided in xv6?
If I am not wrong, the copyout() is invoked by the kernel in the
piperead() and pipewrite() located in pipewrite.c function. Prior to calling this
function the calling process's spinlock is already held.
Firstly, i want know if the PByte type is equivalent to a BYTE*(byte pointer) in C++. In negative case, what's could be on Delphi that more near to BYTE* of C++?
Well, suppose that i'm right about that PByte is BYTE* (C++), then based on following C++ code, how send() this data type (PByte) correctly using native WinSock?
See:
C++:
SOCKET sock;
BITMAPINFO bmpInfo;
BYTE *bytes = NULL;
BYTE *temp_bytes = NULL;
DWORD workSpaceSize, fragmntWorkSpaceSize, size;
RtlGetCompressionWorkSpaceSize(COMPRESSION_FORMAT_LZNT1, &workSpaceSize, &fragmntWorkSpaceSize);
bytes = (BYTE *) Alloc(bmpInfo.bmiHeader.biSizeImage);
temp_bytes = (BYTE *) Alloc(bmpInfo.bmiHeader.biSizeImage);
BYTE *memory = (BYTE *) Alloc(workSpaceSize);
RtlCompressBuffer(COMPRESSION_FORMAT_LZNT1,
bytes,
bmpInfo.bmiHeader.biSizeImage,
temp_bytes,
bmpInfo.bmiHeader.biSizeImage,
2048,
&size,
memory);
free(bytes);
free(memory);
if(Send(sock, (char *) temp_bytes, size, 0) <= 0) return;
free(temp_bytes);
Delphi:
var
Sock: TSocket;
bmpInfo: TBitMapInfo;
bytes: PByte = nil;
temp_bytes: PByte = nil;
memory: PByte;
workSpaceSize, fragmntWorkSpaceSize, Size: Cardinal;
//...
RtlGetCompressionWorkSpaceSize(COMPRESSION_FORMAT_LZNT1, #workSpaceSize, #fragmntWorkSpaceSize);
bytes := AllocMem(bmpInfo.bmiHeader.biSizeImage);
temp_bytes := AllocMem(bmpInfo.bmiHeader.biSizeImage);
memory := AllocMem(workSpaceSize);
RtlCompressBuffer(COMPRESSION_FORMAT_LZNT1, bytes, bmpInfo.bmiHeader.biSizeImage,
temp_bytes, bmpInfo.bmiHeader.biSizeImage, 2048, #Size, memory);
FreeMem(bytes);
FreeMem(memory);
if send(Sock, temp_bytes^, Size, 0) <= 0 then Exit;
FreeMem(temp_bytes);
Reference to RtlGetCompressionWorkSpaceSize() and RtlCompressBuffer() functions in C++.
Reference to RtlGetCompressionWorkSpaceSize() and RtlCompressBuffer() functions in Delphi.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 8 years ago.
Improve this question
I am writing a C++ code and trying to convert an unsigned char* array into a string using a stringstream.
the code snippet:
unsigned char * arr;
do{
fill(*arr);
//if I print the array here, the print operation works fine
stringstream s((const char*)arr); //I also tired other castings without success
cout<<s.str()<<endl;
//condition...
} while(condition);
The do-while because I have to repeat it. The problem is that I get a Segmentation fault (core dumped) error here: stringstream s((const char*)arr);
Here is a more detailled code. The fill is the libusb_interrupt_transfer
int len = 64;
int transferred;
unsigned char *pkt = new unsigned char[len];
unsigned char * arr;
int arrLen;
do {
libusb_interrupt_transfer(handle, (EP_IN | LIBUSB_ENDPOINT_IN), pkt, len, &transferred, 1000);
arrLen = pkt[6];
arr = new unsigned char[arrLen];
for (int i = 0; i < arrLen; i++) {
arr[i] = pkt[i+7];
}
stringstream s;
s << (char*) arr;
}
I would go with:
stringstream s;
s << (char*) arr;
EDIT:
Ok, so after you've given us your Fill() this is what I think makes the problem:
Basing on this link: http://libusb.sourceforge.net/api-1.0/group__syncio.html#gac412bda21b7ecf57e4c76877d78e6486 you can NEVER assume that you will have the amount of chars passed in len. You should use your transferred to check how many chars have been transfered.
Directly problem is in the moment where you write
arrLen = pkt[6];
Because it is probable that pkt[6] has not been initialized. In this case it contains some random number which will (if we assume that the number is really random) give you a 1 to 2^31 - (64 - 7) probability of access violation - if arrLen is too big, you will exceed pkt range pretty fast.
So I would suggest something like this:
libusb_interrupt_transfer(handle, (EP_IN | LIBUSB_ENDPOINT_IN), pkt, len, &transferred, 1000);
// AHTUNG! ATTENTION!
if (transferred >= 7) // and you'll need even more
continue;
arrLen = pkt[6];
arr = new unsigned char[arrLen];
for (int i = 0; i < arrLen; i++) {
arr[i] = pkt[i+7];
}
stringstream s;
s << (char*) arr;
Also, it would be nice to have pkt and transferred dumped in the moment of the error. This would make analyzing the problem more easily.
I am implementing the recvall() function to be sure that the data is completely sent. Also I modified the send() function to sendall() like this:
int sendall (int consocket, char* buf, int* len)
{
int total = 0;
int bytesleft = *len; // how many we have left to send
int n;
while(total < *len) {
n = send(consocket, buf+total, bytesleft, 0);
if (n == -1) { break; }
total += n;
bytesleft -= n;
*len = total; // return number actually sent here
return n==-1?-1:0; // return -1 on failure, 0 on success
}
}
How can I implement recvall()? Say I sent from the server a struct of 14 bytes and I check in the client and get 12 bytes.. now in an unreliable situation how should I manage to get the other two bytes... I have spent time trying... any help welcomed.
You may loop over a select with an appropriate timeout . Select will wait until new data is received or until time is elapsed or an error occurs. This gives you a greater control than just blocing on a recv.
Can anyone help converting the Int to char array
as i have buffer as
char *buffer = NULL;
int lengthOfComponent = -1;
char *obj;
buffer[index]= (char *)&lengthOfComponent;
if i do this it is thorwing EXCESS BAD ACCESS after the execution how to store the value of the obj to buffer using memcpy
Of course you cannot write in buffer[index], it is not allocated!
buffer = malloc(sizeof(char) * lengthOfBuffer);
should do it. After that you can write the buffer with memcpy or with an assignation, like you are doing.
buffer[index] = (char *)&lengthOfComponent;
buffer[index] is like dereferencing the pointer. But buffer is not pointing to any valid location. Hence the runtime error.
The C solution is using snprintf. Try -
int i = 11;
char buffer[10];
snprintf(buffer, sizeof(buffer), "%d", i);