views:

19

answers:

1

Hi

I’ve problem with this function using winsock2. When program leave this function in debug mode I receive 2 statements (only during exiting this function):

“Run-Time Check Failure #2 - Stack around the variable 'filePath' was corrupted.”

“Run-Time Check Failure #2 - Stack around the variable 'recBuf' was corrupted.”

I’m programming in VS2008 C++ (console application). In Release mode this statements do not exist.

So I’m waiting for reply and thanks a lot for your help ;)

Function:

#include "stdafx.h"
#include "server.h"

bool Server::fileReceive()
{
    char recBuf[MAX_PACKET_BUFOR] ={0};
    char filePath[100] = {0};
    int size = 0;
    int var = 0;
    char key = 0;
    int tmp=0;

    FILE *fPtr = NULL;

    if(recv(clientSocket, recBuf, MAX_PACKET_SIZE, 0) == 0)
    {
        cerr << "Receive ERROR" << endl;
        system("pause");
        return false;
    }
    if(strcmp(recBuf, START_HEADER) != 0)
        return false;

    if(send(clientSocket, ACK, 3, 0 ) == SOCKET_ERROR)
    {
        cerr << "Send ERROR" << endl;
        system("pause");
        return false;
    }
    if(recv(clientSocket, recBuf, MAX_PACKET_SIZE, 0) == 0)
    {
        cerr << "Receive ERROR" << endl;
        system("pause");
        return false;
    }
    if(send(clientSocket, ACK, 3, 0 ) == SOCKET_ERROR)
    {
        cerr << "Send ERROR" << endl;
        system("pause");
        return false;
    }
    strcpy_s(filePath, sizeof(recBuf), recBuf);
    cout << "Przyslano plik o nazwie: \"" << filePath << "\"";
    memset(recBuf, 0, sizeof(recBuf));

    if(recv(clientSocket, recBuf, MAX_PACKET_SIZE, 0) == 0)
    {
        cerr << "Receive ERROR" << endl;
        system("pause");
        return false;
    }
    if(send(clientSocket, ACK, 3, 0 ) == SOCKET_ERROR)
    {
        cerr << "Send ERROR" << endl;
        system("pause");
        return false;
    }
    size = atoi(recBuf);
    cout << " i rozmiarze: "<< size << "B,\nCo chcesz zrobic?" << endl;
    cout << "1 - odbierz i zmien nazwe\n2- odbierz i zapisz do katalogu programu\n3 - odrzuc" << endl;
    key = _getch();

    if(key == '1' || key == '2')
    {
        if(key == '1')
        {
            cout << "Podaj sciezke dla nowego pliku w formie: Dysk:\\sciezka\\plik.rozszerzenie" << endl;
            cout << "(wpisz sama nazwe, a plik zostanie umieszczony w katalogu programu)" << endl;
            cin >> filePath;
        }

        if(fopen_s(&fPtr, filePath, "wb") != 0)
            return false;

        cout << "Odbieranie w toku...\nProsze czekac" << endl;

        while(size > 0)
        {
            memset(recBuf, 0, MAX_PACKET_BUFOR);
            tmp = 0;
            if(size <= 200000)
                cout << "break" << endl;
            if(size>=MAX_PACKET_SIZE)
            {
                do
                {
                    var = recv(clientSocket, recBuf, MAX_PACKET_SIZE, 0);
                    if(var == 0)
                    {
                        cerr << "Receive ERROR" << endl;
                        system("pause");
                        size = 0;
                    }
                    else
                    {
                        tmp += var;
                        fwrite(recBuf, var, 1, fPtr);
                    }
                }while(tmp < MAX_PACKET_SIZE && size != 0);
                                    if(send(clientSocket, ACK, 3, 0 ) == SOCKET_ERROR)
                    {
                        cerr << "Send ERROR" << endl;
                        system("pause");
                        return false;
                    }
            }
            else
            {
                while(tmp != size && size != 0)
                {
                    var = recv(clientSocket, recBuf, size, 0);
                    if(var == 0)
                    {
                        cerr << "Receive ERROR" << endl;
                        system("pause");
                        size = 0;
                    }
                    else
                    {
                        tmp += var;
                        fwrite(recBuf, var, 1, fPtr);
                    }
                }
                if(send(clientSocket, ACK, 3, 0 ) == SOCKET_ERROR)
                {
                    cerr << "Send ERROR" << endl;
                    system("pause");
                    return false;
                }
            }
            size -= tmp;
            size = (size < 0) ? 0 : size;
        }
        memset(filePath, 0, sizeof(filePath));
        memset(recBuf, 0, MAX_PACKET_BUFOR);
        fclose(fPtr);
    }
    return true;
}

stdafx.h

#pragma once

#include "targetver.h"

#include <stdio.h>
#include <tchar.h>
#include <winsock2.h>
#include <iostream>
#include <cstdlib>
#include <conio.h>

using namespace std;

#define START_HEADER "FileSend"
#define MAX_PACKET_SIZE    100000
#define MAX_PACKET_BUFOR    100010
#define ACK "ACK"
+3  A: 

The bug is in the following line

strcpy_s(filePath, sizeof(recBuf), recBuf); 

Here you are stating the size of filePath is sizeof(recBuf) which is not the case. The size of filePath is 100 while sizeof(recBuf) is 1000010. The result is a buffer overflow on filePath and the error message you are seeing.

Additionally the code appears to assume that the recv call will properly add a null terminator to the recBuf buffer. This is not the case and if a 0 is not added into the buffer the strcpy_s function will also potentially fail.

JaredPar
thx a lot for your quickly reply. It's working now without failures :)
Meler