如何檢測緩衝區溢出C在這種情況下，

Question

我認爲這段代碼應該會產生一個緩衝區溢出錯誤，但顯然，這打印罰款..是否有檢測到它已經飛越？

Valgrind的沒有把它撿起來要麼...

static void e(void) { 
    char buffer[5]; 
    char data1[] = "abc"; 
    char data2[] = "de"; 
    memcpy(buffer, data1, sizeof(data1)); 
    // strcat appends data2 to buffer and adds '\0' at the end dest 
    strcat(buffer, data2); 
    //printf("%s\n", buffer); 
} 

Answer 1

The -fsanitize=address of gcc是你要找的選項。例如：

$ cat test.cpp 
#include <stdio.h> 
#include <string.h> 

static void e(void) { 
    char buffer[5]; 
    char data1[] = "abc"; 
    char data2[] = "de"; 
    memcpy(buffer, data1, sizeof(data1)); 
    // strcat appends data2 to buffer and adds '\0' at the end dest 
    strcat(buffer, data2); 
    //printf("%s\n", buffer); 
} 

int main() { 
    e(); 
} 
$ g++ test.cpp -o a -fsanitize=address -g3 
$ ./a 
================================================================= 
==21537== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd1d8c0313 at pc 0x7f96ebedd94b bp 0x7ffd1d8c0260 sp 0x7ffd1d8bfa20 
WRITE of size 3 at 0x7ffd1d8c0313 thread T0 
    #0 0x7f96ebedd94a (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xe94a) 
    #1 0x40091b (/tmp/a+0x40091b) 
    #2 0x400959 (/tmp/a+0x400959) 
    #3 0x7f96ebb2bec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4) 
    #4 0x400748 (/tmp/a+0x400748) 
Address 0x7ffd1d8c0313 is located at offset 163 in frame <e> of T0's stack: 
    This frame has 3 object(s): 
    [32, 35) 'data2' 
    [96, 100) 'data1' 
    [160, 165) 'buffer' 
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext 
     (longjmp and C++ exceptions *are* supported) 
Shadow bytes around the buggy address: 
    0x100023b10010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100023b10020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100023b10030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100023b10040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 
    0x100023b10050: f1 f1 03 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 
=>0x100023b10060: f2 f2[05]f4 f4 f4 00 00 00 00 00 00 00 00 00 00 
    0x100023b10070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100023b10080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100023b10090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100023b100a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100023b100b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Shadow byte legend (one shadow byte represents 8 application bytes): 
    Addressable:   00 
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:  fa 
    Heap righ redzone:  fb 
    Freed Heap region:  fd 
    Stack left redzone: f1 
    Stack mid redzone:  f2 
    Stack right redzone: f3 
    Stack partial redzone: f4 
    Stack after return: f5 
    Stack use after scope: f8 
    Global redzone:  f9 
    Global init order:  f6 
    Poisoned by user:  f7 
    ASan internal:   fe 
==21537== ABORTING