tags:

views:

72

answers:

4
+1  Q: 

How to validate length of received byte array, which is not null terminated?

Hi all,

I have a C\C++ code that receives a structure over the network, from this form:

struct DataStruct
{
int DataLen;
BYTE* Data;
}

The code I have runs over Data in a loop of DataLen times and processes the data.

...The problem:

After the code came to security experts for penetration tests, they prepared a fake application which sends this struct with DataLen bigger than the real length of Data. This causes, of course, an access violation exception.

So, the question is - how can I validate the real length of the received Data? Is it possible without changing the structure?

Thanks in advance.

+2  A: 

You know how much bytes you have received, so just compare it with DataLen.

Kirill V. Lyadvinsky  2010-08-31 12:26:49
Maybe I wasn't clear - this is exactly my problem: I **don't** know how many bytes did I get...
rursw1  2010-08-31 12:32:58
How's that? Almost any network IO function gives you this information.
Kirill V. Lyadvinsky  2010-08-31 12:34:48
+4  A: 

Nice security experts! I wish my company had a department like that.

Whenever data is received from the network, the network IO reports the number of bytes actually written to the buffer, whether you used read(2), recv(2), or boost::asio::async_read or anything else I've seen. Typical use case when there's a "number of bytes to follow" field in the header of your data structure, is to repeatedly call read/recv/etc until that many bytes were received (or until error occurred), and only then it should construct and return your DataStruct (or report error).

Cubbi  2010-08-31 12:30:54
+1  A: 

It is impossible without changing the structure. Data received from TCP/IP socket is plain stream. Logically, it is not divided into packets. Physical packet may contain one or more DataStruct instances, one DataStruct instance can be divided to two or more physical packets. Current information structure can be used only if there are no communication errors or invalid packets.

Alex Farber  2010-08-31 12:33:03
A: 

Corruption is easy if you haven't any intrinsic limitation.

Some protection mechanisms would be:

  • Try to realloc() the buffer, within some acceptable size (if Data is dynamic)
  • Exceptions are friends: use SIGSEGV in signal(2), signal(7) and setjmp(2) to do some useful try/catch code structure. See Combining setjmp()/longjmp() and Signal Handling for a quick introduction on this topic. Use sigaction(2) to go deeper (by getting the faulty address;).
levif  2010-09-02 21:55:48

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS