[已解决]strncat差一错误

liaojuelong · 发表于 2022-7-12 18:49:40

马上注册，结交更多好友，享用更多功能^_^

您需要登录才可以下载或查看，没有账号？立即注册

x

本帖最后由 liaojuelong 于 2022-7-12 18:51 编辑

课后作业这里没理解，我上机试了一下，以%s输出str，不管有没有减1，似乎对结果影响不大，减1输出“I love Fi”，不减1输出“I love Fis”，那么差一错误怎么体现呢？求解答

题目如下：
请指出下边代码中存在的问题？
#include <stdio.h>
#include <string.h>
int main()
{
char str[10];
strncat(str, "I love FishC.com!", sizeof(str));
return 0;
}
答：不当使用 C 标准库中的 strncat 函数常常会导致差一错误（差一错误是指在计数时由于边界条件判断失误导致结果多了一或少了一的错误）和安全问题。
程序员经常认为 strncat 函数在写入字符串结束符时不会超过最大长度。事实上 strncat 函数会在指定的最大长度之后一字节的位置写入字符串结束符。
上边代码应该改为：strncat(str, "I love FishC.com!", sizeof(str)-1);

最佳答案

月排行榜 / 总排行榜

人造人

2022-7-12 19:26:20

C语言程序中的错误，并不是一定能在第一时间发现
很多错误直到程序运行结束也无法被发现
但是错误就是错误，这个错误很有可能会出现在你无法预期的位置，所以不要存在侥幸心理，说什么有错也没事，反正程序输出结果正常，你如何保证这个错误不会影响最终的输出结果？你无法保证
你可以借助一些调试工具把这个错误的发现时间提前很多

$ cat main.c
#include <stdio.h>
#include <string.h>

int main(void) {
    char buff[5] = {[0] = '\0'};
    strncat(buff, "12345678", sizeof(buff) - 1);
    puts(buff);
    return 0;
}
$ gcc-debug -o main main.c
$ ./main
1234
$ vim main.c
$ cat main.c
#include <stdio.h>
#include <string.h>

int main(void) {
    char buff[5] = {[0] = '\0'};
    strncat(buff, "12345678", sizeof(buff));
    puts(buff);
    return 0;
}
$ gcc-debug -o main main.c
main.c: In function ‘main’:
main.c:6:5: warning: ‘strncat’ specified bound 5 equals destination size [-Wstringop-overflow=]
    6 |     strncat(buff, "12345678", sizeof(buff));
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ ./main
=================================================================
==2151829==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd3d4f0955 at pc 0x7f6845460665 bp 0x7ffd3d4f0920 sp 0x7ffd3d4f00c8
WRITE of size 6 at 0x7ffd3d4f0955 thread T0
    #0 0x7f6845460664 in __interceptor_strncat /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:399
    #1 0x5629182842c9 in main /tmp/main.c:6
    #2 0x7f684482928f  (/usr/lib/libc.so.6+0x2928f)
    #3 0x7f6844829349 in __libc_start_main (/usr/lib/libc.so.6+0x29349)
    #4 0x5629182840e4 in _start (/tmp/main+0x10e4)

Address 0x7ffd3d4f0955 is located in stack of thread T0 at offset 37 in frame
    #0 0x5629182841c8 in main /tmp/main.c:4

  This frame has 1 object(s):
    [32, 37) 'buff' (line 5) <== Memory access at offset 37 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:399 in __interceptor_strncat
Shadow bytes around the buggy address:
  0x100027a960d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a960e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a960f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100027a96120: 00 00 00 00 00 00 f1 f1 f1 f1[05]f3 f3 f3 00 00
  0x100027a96130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2151829==ABORTING
$

跳转到最佳答案楼层

人造人 · 发表于 2022-7-12 19:26:20

C语言程序中的错误，并不是一定能在第一时间发现
很多错误直到程序运行结束也无法被发现
但是错误就是错误，这个错误很有可能会出现在你无法预期的位置，所以不要存在侥幸心理，说什么有错也没事，反正程序输出结果正常，你如何保证这个错误不会影响最终的输出结果？你无法保证
你可以借助一些调试工具把这个错误的发现时间提前很多

$ cat main.c
#include <stdio.h>
#include <string.h>

int main(void) {
    char buff[5] = {[0] = '\0'};
    strncat(buff, "12345678", sizeof(buff) - 1);
    puts(buff);
    return 0;
}
$ gcc-debug -o main main.c
$ ./main
1234
$ vim main.c
$ cat main.c
#include <stdio.h>
#include <string.h>

int main(void) {
    char buff[5] = {[0] = '\0'};
    strncat(buff, "12345678", sizeof(buff));
    puts(buff);
    return 0;
}
$ gcc-debug -o main main.c
main.c: In function ‘main’:
main.c:6:5: warning: ‘strncat’ specified bound 5 equals destination size [-Wstringop-overflow=]
    6 |     strncat(buff, "12345678", sizeof(buff));
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ ./main
=================================================================
==2151829==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd3d4f0955 at pc 0x7f6845460665 bp 0x7ffd3d4f0920 sp 0x7ffd3d4f00c8
WRITE of size 6 at 0x7ffd3d4f0955 thread T0
    #0 0x7f6845460664 in __interceptor_strncat /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:399
    #1 0x5629182842c9 in main /tmp/main.c:6
    #2 0x7f684482928f  (/usr/lib/libc.so.6+0x2928f)
    #3 0x7f6844829349 in __libc_start_main (/usr/lib/libc.so.6+0x29349)
    #4 0x5629182840e4 in _start (/tmp/main+0x10e4)

Address 0x7ffd3d4f0955 is located in stack of thread T0 at offset 37 in frame
    #0 0x5629182841c8 in main /tmp/main.c:4

  This frame has 1 object(s):
    [32, 37) 'buff' (line 5) <== Memory access at offset 37 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:399 in __interceptor_strncat
Shadow bytes around the buggy address:
  0x100027a960d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a960e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a960f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100027a96120: 00 00 00 00 00 00 f1 f1 f1 f1[05]f3 f3 f3 00 00
  0x100027a96130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100027a96170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2151829==ABORTING
$

人造人 · 发表于 2022-7-12 19:29:13

本帖最后由人造人于 2022-7-12 19:31 编辑

另外，只有这一个问题吗？

$ cat main.c
#include <stdio.h>
#include <string.h>

int main() {
    char str[10];
    strncat(str, "I love FishC.com!", sizeof(str));
    return 0;
}
$ gcc-debug -o main main.c
main.c: In function ‘main’:
main.c:6:5: warning: ‘strncat’ specified bound 10 equals destination size [-Wstringop-overflow=]
    6 |     strncat(str, "I love FishC.com!", sizeof(str));
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ ./main
=================================================================
==2153892==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe4639e55a at pc 0x7f56ae060665 bp 0x7ffe4639e520 sp 0x7ffe4639dcc8
WRITE of size 11 at 0x7ffe4639e55a thread T0
    #0 0x7f56ae060664 in __interceptor_strncat /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:399
    #1 0x55f82a517234 in main /tmp/main.c:6
    #2 0x7f56ad42928f  (/usr/lib/libc.so.6+0x2928f)
    #3 0x7f56ad429349 in __libc_start_main (/usr/lib/libc.so.6+0x29349)
    #4 0x55f82a5170c4 in _start (/tmp/main+0x10c4)

Address 0x7ffe4639e55a is located in stack of thread T0 at offset 42 in frame
    #0 0x55f82a5171a8 in main /tmp/main.c:4

  This frame has 1 object(s):
    [32, 42) 'str' (line 5) <== Memory access at offset 42 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:399 in __interceptor_strncat
Shadow bytes around the buggy address:
  0x100048c6bc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100048c6bc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100048c6bc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100048c6bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100048c6bc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100048c6bca0: 00 00 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3 00 00
  0x100048c6bcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100048c6bcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100048c6bcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100048c6bce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100048c6bcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2153892==ABORTING
$
$
$
$ vim main.c
$ cat main.c
#include <stdio.h>
#include <string.h>

int main() {
    char str[10];
    strncat(str, "I love FishC.com!", sizeof(str) - 1);
    return 0;
}
$ gcc-debug -o main main.c
$ ./main
=================================================================
==2154032==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc00d62f7a at pc 0x7f0c1cc60665 bp 0x7ffc00d62f40 sp 0x7ffc00d626e8
WRITE of size 10 at 0x7ffc00d62f7a thread T0
    #0 0x7f0c1cc60664 in __interceptor_strncat /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:399
    #1 0x55758509b234 in main /tmp/main.c:6
    #2 0x7f0c1c02928f  (/usr/lib/libc.so.6+0x2928f)
    #3 0x7f0c1c029349 in __libc_start_main (/usr/lib/libc.so.6+0x29349)
    #4 0x55758509b0c4 in _start (/tmp/main+0x10c4)

Address 0x7ffc00d62f7a is located in stack of thread T0 at offset 42 in frame
    #0 0x55758509b1a8 in main /tmp/main.c:4

  This frame has 1 object(s):
    [32, 42) 'str' (line 5) <== Memory access at offset 42 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:399 in __interceptor_strncat
Shadow bytes around the buggy address:
  0x1000001a4590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000001a45a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000001a45b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000001a45c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000001a45d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000001a45e0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[02]
  0x1000001a45f0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000001a4600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000001a4610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000001a4620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000001a4630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2154032==ABORTING
$
$
$
$ vim main.c
$ cat main.c
#include <stdio.h>
#include <string.h>

int main() {
    char str[10];
    str[0] = '\0';      // ****************************
    strncat(str, "I love FishC.com!", sizeof(str) - 1);
    return 0;
}
$ gcc-debug -o main main.c
$ ./main
$

liaojuelong · 发表于 2022-7-12 19:58:01

人造人发表于 2022-7-12 19:29
另外，只有这一个问题吗？

还有一个问题，比如我定义一个字符串数组char a[5]=“abcdefg”，%s输出是abcde'\0'，为什么不是输出abcd'\0'，或者abcdefg'\0'呢

这也是疑惑的地方

人造人 · 发表于 2022-7-12 20:22:31

liaojuelong 发表于 2022-7-12 19:58
还有一个问题，比如我定义一个字符串数组char a[5]=“abcdefg”，%s输出是abcde'\0'，为什么不 ...

又是一个错误的代码，我这边直接报错

$ cat main.c
#include <stdio.h>

int main(void) {
    char a[5] = "abcdefg";
    printf("%s\n", a);
    return 0;
}
$ gcc-debug -o main main.c
main.c: In function ‘main’:
main.c:4:17: warning: initializer-string for array of ‘char’ is too long
    4 |     char a[5] = "abcdefg";
      |                 ^~~~~~~~~
$ ./main
=================================================================
==2169117==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd35b6c095 at pc 0x7f328524a1cb bp 0x7ffd35b6c060 sp 0x7ffd35b6b808
READ of size 7 at 0x7ffd35b6c095 thread T0
    #0 0x7f328524a1ca in __interceptor_puts /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1283
    #1 0x55ede3cdf2a4 in main /tmp/main.c:5
    #2 0x7f328462928f  (/usr/lib/libc.so.6+0x2928f)
    #3 0x7f3284629349 in __libc_start_main (/usr/lib/libc.so.6+0x29349)
    #4 0x55ede3cdf0d4 in _start (/tmp/main+0x10d4)

Address 0x7ffd35b6c095 is located in stack of thread T0 at offset 37 in frame
    #0 0x55ede3cdf1b8 in main /tmp/main.c:3

  This frame has 1 object(s):
    [32, 37) 'a' (line 4) <== Memory access at offset 37 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/src/debug/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1283 in __interceptor_puts
Shadow bytes around the buggy address:
  0x100026b657c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026b657d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026b657e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026b657f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026b65800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
=>0x100026b65810: f1 f1[05]f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x100026b65820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026b65830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026b65840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026b65850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100026b65860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2169117==ABORTING
$

人造人 · 发表于 2022-7-12 20:25:38

liaojuelong 发表于 2022-7-12 19:58
还有一个问题，比如我定义一个字符串数组char a[5]=“abcdefg”，%s输出是abcde'\0'，为什么不 ...

char a[5] = "abcdefg";
你需要明白，这个数组a有几个元素？是5个？还是7个？还是8个？
这个数组保存的是哪些字符？
a[0] = 什么？
a[1] 呢？
还有其他

liaojuelong · 发表于 2022-7-12 21:02:27

人造人发表于 2022-7-12 20:25

我用devc++5.11是跳出warning，但是可以输出。然后刚刚我又下了一个vc++6.0，直接error了。。。难道是我用的编译器不对

要用哪个比较好呢？

人造人 · 发表于 2022-7-12 21:12:54

liaojuelong 发表于 2022-7-12 21:02
我用devc++5.11是跳出warning，但是可以输出。然后刚刚我又下了一个vc++6.0，直接error了。。。难道是我 ...

用最新的编译器就好
我用的gcc

liaojuelong · 发表于 2022-7-12 22:08:44

人造人发表于 2022-7-12 21:12
用最新的编译器就好
我用的gcc

大佬推荐一个比较新的c编译器

人造人 · 发表于 2022-7-12 22:14:03

liaojuelong 发表于 2022-7-12 22:08
大佬推荐一个比较新的c编译器

gcc (GCC) 12.1.0

$ gcc --version
gcc (GCC) 12.1.0
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$

账号		自动登录	找回密码
密码			立即注册