c - 如何在 C 中修复“free(): invalid next size (normal) | Canceled (memory dumpwritten)”
问题描述
我正在编写一个实际发送原始数据包和嗅探网络的程序。我有程序要构建、发送数据包和嗅探网络。他们每个人都(大部分)工作得很好。如果我尝试实现一个主函数,它首先调用函数来构建和发送数据包,然后是嗅探的函数,我得到一个free(): Invalid next size (normal) | Cancelled (memory dump written)错误。
我试图自己找到问题。我在不同的地方调用了startSniffer()- 函数。实际上是在send_tcp_packet构建 tcp Packet ( build_tcp_packet) 之前,之后也是。如果我在它工作之前调用startSniffer()Function build_tcp_packet。所以我在befor中调用了startSniffer()- 函数,它可以工作。所以我认为错误是由于. 我删除了,程序运行良好。但实际上 Programm 需要在 TCP-Header 中设置 Payload。build_tcp_packetmemcpy(...)memcpy(...)memcpy(...)memcpy(...)
那么您对我的代码有任何想法和帮助吗???
void startBuilding() {
unsigned char *data;
unsigned int packet_size;
unsigned int data_size;
src_addr.sin_family = AF_INET;
inet_aton(srcHost, &src_addr.sin_addr);
dst_addr.sin_family = AF_INET;
inet_aton(destHost, &dst_addr.sin_addr);
data = (char*) malloc(strlen(sendingData) + 1);
strcpy((char *) data, sendingData);
data_size = strlen(sendingData);
switch (ipProto) {
case IPPROTO_TCP:
printf("[+] Send TCP packet...\n");
src_addr.sin_port = htons(tcpSourcePort);
dst_addr.sin_port = htons(tcpDestPort);
if (open_RawSocket(ipProto)) {
send_tcp_packet(raw_socket, src_addr, dst_addr, data, data_size);
}
}
unsigned int build_tcp_packet(struct sockaddr_in src_addr,
struct sockaddr_in dst_addr, unsigned char *tcp_packet,
unsigned char *data, unsigned int data_size) {
printf("[+] Build TCP packet...\n\n");
unsigned int length;
struct tcpheader *tcp;
length = TCPHDRSIZE + data_size;
tcp = (struct tcpheader *) tcp_packet;
tcp->th_sport = src_addr.sin_port;
tcp->th_dport = dst_addr.sin_port;
tcp->th_seq = htonl(tcpSeqNum);
tcp->th_acknum = tcpAcknum;
tcp->th_reserved = tcpReserved;
tcp->th_off = tcpOffSet;
tcp->th_fin = tcpFinFlag;
tcp->th_syn = tcpSynFlag;
tcp->th_rst = tcpRstFlag;
tcp->th_psh = tcpPshFlag;
tcp->th_ack = tcpAckFlag;
tcp->th_urg = tcpUrgFlag;
tcp->th_cwr = tcpCwrFlag;
tcp->th_ece = tcpEceFlag;
tcp->th_win = htons(tcpWin);
tcp->th_urp = tcpUrp;
tcp->th_sum = tcpSum;
// startSniffer(); // If i start startSniffer here, it works fine.
memcpy(tcp_packet + TCPHDRSIZE, data, data_size);
// startSniffer(); //If i start sartSniffer here, it did not work, and i get the error.
return length;
}
unsigned int build_ip_packet(struct in_addr src_addr, struct in_addr dst_addr,
uint8_t protocol, unsigned char *ip_packet, unsigned char *data,
unsigned int data_size) {
printf("[+] Build IP packet...\n\n");
struct ipheader *ip;
ip = (struct ipheader*) ip_packet;
ip->ip_v = ipv;
ip->ip_hl = iphl;
ip->ip_tos = iptype;
ip->ip_id = htons(ipId);
if (calculateIpLenInBuildPacket) {
ip->ip_len = htons(iphl * 4 + data_size);
} else {
ip->ip_len = htons(ipLen);
}
ip->ip_off = ipOffset;
ip->ip_moreFrag = ipMoreFragmentFlag;
ip->ip_doNotFrag = ipDoNotFragmentFlag;
ip->ip_reserved = ipReserved;
ip->ip_frag_offset1 = ipFragOffset;
ip->ip_ttl = ipTTL;
ip->ip_p = ipProto;
ip->ip_sum = ipSum;
ip->iph_sourceip = src_addr.s_addr;
ip->iph_destip = dst_addr.s_addr;
return sizeof(struct ipheader) + data_size;
}
int main(int argc, char **argv) {
startBuilding();
startSniffer();
}
void send_tcp_packet(int raw_sock, struct sockaddr_in src_addr,
struct sockaddr_in dst_addr, uint8_t *data, unsigned int data_size) {
unsigned int packet_size;
unsigned int ip_payload_size;
unsigned char *packet;
packet = (char*) malloc(strlen(data) + 1);
memset(packet, 0, ETH_DATA_LEN);
ip_payload_size = build_tcp_packet(src_addr, dst_addr,
packet + sizeof(struct ipheader), data, data_size);
packet_size = build_ip_packet(src_addr.sin_addr, dst_addr.sin_addr,
IPPROTO_TCP, packet, packet + sizeof(struct ipheader), ip_payload_size);
setOption_RawSocket(raw_sock);
if (sendto(raw_sock, packet, packet_size, 0, (struct sockaddr *) &dst_addr,
sizeof(dst_addr)) < 0) {
perror("sendto");
exit(1);
} else {
printf("Send! \n\n");
}
close(raw_sock);
}
解决方案
这是危险的:
packet = (char*) malloc(strlen(data) + 1);
memset(packet, 0, ETH_DATA_LEN);
只要ETH_DATA_LEN大于就会损坏堆strlen(data) + 1,不会立即检测到堆损坏,但可能会导致后续分配或释放(空闲)失败。
建议:
packet = calloc( ETH_DATA_LEN, 1 ) ;
您做了一个轻率的假设,它data是一个以空值结尾的字符串,并且应该用于 data_size确定data任何事件的长度,但是由于数据包大小必然比数据有效负载大,因此两者都是不正确的。
在这种情况下你无法释放packet,所以也会有内存泄漏。由于ETH_DATA_LEN是一个常数,因此在任何情况下都无需动态分配。相反,您可能有:
char* packet[ETH_DATA_LEN] = {0} ;
推荐阅读
- sql - 当 unpivot 未检测到具有不同类型的字段时,雪花如何转换选择查询的所有字段?
- java - 使用信号量开发同步算法
- python - 多次运行脚本时出现 Python 错误:模块“__main__”没有属性“__spec__”
- jenkins - Jenkins - 通过证书进行代理身份验证
- python - 在获取熊猫数据框的行之间的差异时填充 NaN
- java - Minecraft 服务器无效的 plugin.yml
- c# - DTO 的泛型列表
- php - 使用 PHP 在图像上居中多行文本
- python - 为什么使用漂亮的汤找不到某些链接
- erpnext - 如何在列表视图中为子项指定过滤器?