我已经实现了一个 c++ winsock (win 32),目的是使用strcpy命令崩溃。套接字本身在线程内实例化。但是,当我将循环放入strcpy内部时recv,它似乎并没有崩溃。
我知道编译器没有任何问题,因为编写了一个只是strcpy崩溃的编译器,我认为它与它有关,recv因为它会在进程中启动一个块。
下面是服务器的完整代码,我试图实现的崩溃是strcpy(a, "AAAA...");在正常情况下它应该崩溃的形式,但在这里它不会。我想知道为什么。
#define WIN32_LEAN_AND_MEAN
#include<windows.h>
#include<winsock2.h>
#include<stdlib.h>
#include<stdio.h>
#include<ws2tcpip.h>
#include <iostream.h>
#include <conio.h>
#define DEFAULT_PORT "1133"
#define DEFAULT_BUFLEN 512
struct thread_data
{
int m_id;
thread_data(int id) : m_id(id){}
};
char a[10];
DWORD WINAPI ServerThread (LPVOID pParam){
WSADATA wsaData;
struct addrinfo *result =NULL;
struct addrinfo hints;
SOCKET ListenSocket = INVALID_SOCKET;
do{
ZeroMemory(&hints, sizeof(hints));
hints.ai_family = AF_INET;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
hints.ai_flags = AI_PASSIVE;
int iResult;
iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
iResult = getaddrinfo(NULL,DEFAULT_PORT,&hints, &result);
if (iResult != 0 ){
printf("get addrinfo failed with error %d\n", iResult);
WSACleanup();
return 1;
} //end if
ListenSocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol);
if (ListenSocket ==0){
printf("socket creation failed with error %d\n", WSAGetLastError());
}
//bind socket
iResult= bind( ListenSocket , result->ai_addr, (int)result->ai_addrlen);
if(iResult == SOCKET_ERROR){
printf("bind failed with error %d\n", WSAGetLastError());
freeaddrinfo(result);
closesocket(ListenSocket);
WSACleanup();
return 1;
}
printf ("initializing socket\n ");
iResult= listen(ListenSocket,SOMAXCONN);
if (iResult== SOCKET_ERROR){
printf("listen failed with %d\n",WSAGetLastError());
closesocket(ListenSocket);
WSACleanup();
return 1;
}
SOCKET client ;
sockaddr_in from;
int fromlen=sizeof(from);
char temp[1024];
char temp_to_send[1024];
char temp_to_send_vuln[512];
printf("accepting client request\n");
client=accept(ListenSocket, (struct sockaddr*) &from, &fromlen);
printf("accepted socket\n");
iResult =1;
int iSendResult =1;
char c;
//start receiving from client
while( (iResult = recv(client,temp,1024,0 )) > 0 ){
c = temp[0];
temp[iResult] = '\0';
if(c!=13)
strcat(temp_to_send,temp);
//if enter is hit echo sent data to client
if(c ==13 ){
printf("sending %s \n",temp_to_send);
//I WANT TO CRASH THE PGORAM HERE!!
strcpy(a,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
strcat(temp_to_send_vuln,temp_to_send);
strcat(temp_to_send_vuln,"\r\n");
iSendResult = send(client,temp_to_send,strlen(temp_to_send),0);
//if user types "exit" the client socket would terminate
if (strcmp(temp_to_send,"exit") ==0){
printf("exit entered\n");
closesocket(client);
WSACleanup();
break;
}
re-initialize variables for next input
temp[0] = '\0';
temp_to_send[0] = '\0';
}//end if(ch ==13)
}//end recv
printf("termination of socket with error %d and buffer length is ", WSAGetLastError());
printf("client said %s\n", temp) ;
if (iResult == SOCKET_ERROR){
printf("receiving failed with error %d",WSAGetLastError());
}
if (iSendResult == SOCKET_ERROR){
printf("seding failed with error %d", WSAGetLastError());
closesocket(client);
WSACleanup();
exit(1);
}
} while(1);
closesocket(ListenSocket);
WSACleanup();
printf("program ended\n");
return 0;
}
//the main function that calls the thread
int main(void)
{
//create thread here
CreateThread(NULL, 0 ,ServerThread, new thread_data(0), 0,0);
//terminate program when escape character is hit
while(_getch()!=27);
return 0;
}