/*
* I assume these exist, and more or less fit the requirements described.
* They don't have to be these specific numbers, but they do need to have
* the specified relationships in order for the code to work properly.
*/
#define MAXDATASIZE 4096 /* any number here is ok, subject to rules below */
int i = 4096; // i >= MAXDATASIZE, or the first recv can trigger UB
char *htmlbff = malloc(i); // ITYK you can't realloc memory that wasn't malloc'd
int q = 0; // q <= i-MAXDATASIZE
/* maybe other code */
while((c = recv(sock, htmlbff + q, MAXDATASIZE, 0)) > 0)
{
/*
* You've already just read up to MAXDATASIZE bytes.
* if (i-q) < MAXDATASIZE, then **your buffer is already too small**
* and that last `recv` may have overrun it.
*/
if((i - q) < MAXDATASIZE)
{
... reallocate htmlbff ...
}
/* Then you bump q...but too late. lemme explain in a sec */
q += c;
}
假设您连续两次接收 4096 个字节。会发生什么:
- 第一次读取读取 4096 个字节,从
htmlbff + 0.
- 由于
q还是0,i - q== 4096,所以没有分配。
q增加了 4096。- 第二次读取获得 4096 字节,从
htmlbff + 4096. 但是等等,因为我们没有在上次迭代中调整它的大小,它htmlbff只有 4096 字节大,并且整个读取都溢出了缓冲区!
- 如果幸运的话,溢出会导致段错误并且程序会死掉。如果你不是,那么 CPU 只是士兵,从这里开始的任何行为都是未定义的。在这一点上,甚至诊断进一步的问题也没有什么意义,因为 $DEITY 知道代码刚刚破坏了什么。
试试这个...
while((c = recv(sock, htmlbff + q, MAXDATASIZE, 0)) > 0)
{
/* **First**, bump `q` past the stuff you just read */
q += c;
/*
* **Now** check the buffer. If i-q is too small at this point, the buffer is
* legitimately too small for the next read, and also hasn't been overrun yet.
*/
if((i - q) < MAXDATASIZE)
{
/* This temp pointer **really** should be limited in scope */
char *double_sized;
/* Note that otherwise, i'm using the "broken" resize code.
* It should work fine.
*/
i *= 2;
if(!(double_sized = realloc(htmlbff, i)))
{
free(htmlbff);
printf("\nError! Memory allocation failed!");
return 0x00;
}
htmlbff = double_sized;
}
}