command line inputs causing strange errors, what's going on?

This a piece that takes 3 input parameters from command line on startup (besides the app name that makes it 4 parameters).

The code works like it should most of the times, take a look at it and I present the cases when it does not work after it:

Code:

#include <stdio.h>

//----------------------------------------------------------------
// Source file for CMDCalutator.exe, a basic calculator.
// Use it by typing:
//     "calculator <ar op> <int> <int>" in the command promt
// where <ar op> stands for aritmetic operation +, -, * and /
//----------------------------------------------------------------
int main(int argc, char *argv[]) {

    printf ("%s\n", argv[1]);
    printf ("%d\n", atoi(argv[2]));
    printf ("%d\n", atoi(argv[3]));
}

Case one, following input makes the app crash. Mind the fact that the numbers could be any integer number:

Code:

CMDCalculator & 432 446

And following input gives an unexpected output

Code:

CMDCalculator * 432 446

output:

Code:

.git
0
0

Once again, the integer numbers do not seem to matter. Also if I put a character in front of either & or *, I get the expected outputs.

However, if I put a char after & I still get error and if I put a char after * (like *b) I get the name of a file in the current directory in case there is a file that ends with that char. For example:

For *b I get "keylogger.idb", for *c i get "better.c", for *e i get "better.exe" and so it goes on for the letters where there is a file that has a name who ends with the character following *. For the others I get the expected output.

Would someone like to explain why this happens? And how do you protect yourself against this? Cause I expect it can be used to make an exploit?

Assuming a *nix-like system, * and & have particular meaning to the shell (glob and send task to background). You will need to escape these.

keylogger.idb

Sorry, I forgot that extremly basic info. It is Windows 7 Ultimate 64 bits. Sure, escaping them will bypass the function. Would you like to explain for what actually happens?

Explain what actually happens about what? I'm not entirely sure what & does in the windows shell. But (depending on your compiler) the shell may or may not expand * before your program even sees it. (The mingw port of gcc, and I believe cygwin as well, set things up for shell expansion; the MSVS has a setting to go either way.) (ETA: The thread as mentioned is here. And as mentioned in that thread, typing "cmd /?" at your command prompt will, eventually, after many many screens of help, tell you which characters must be quoted.)

Code:

int main(int argc, char *argv[]) {

    printf ("%s\n", argv[1]);
    printf ("%d\n", atoi(argv[2]));
    printf ("%d\n", atoi(argv[3]));
}

Instead of assuming there are as many arguments as you expect, why don't you just print them out:

Code:

for( x = 0; x < argc; x++ )
    printf( "%s\n", argv[ x ] );

When in doubt, try it for yourself.


Quzah.

It is 4 arguments, I printed them before. Just didnt want to put that piece there.

tabstop: I use MinGW compiler. I think this is the keypoint:

The mingw port of gcc, and I believe cygwin as well, set things up for shell expansion

.

What does that mean? Could this be use for exploits if the characters are not correctly escaped?

Originally Posted by Hear.Me.ROAR

It is 4 arguments, I printed them before. Just didnt want to put that piece there.

So what's your problem then? If you are getting four different arguments, and one of them is your *, then why can't you figure out how to make it work?

So what is it you really see when you give it & or *? You aren't telling us what is really happening. You aren't showing us what you are really getting.

Why are you passing it & anyway? That's described as a valid argument.


Quzah.

Originally Posted by Hear.Me.ROAR

Could this be use for exploits if the characters are not correctly escaped?

No. (Or at the very least it's really easy to get command-line arguments right -- after all, if the expansion does happen, you will almost surely not get the right number or types of arguments, so any normal program will just stop.) And for that matter, any programmer actually writing a program that uses command-line arguments is going to expect wildcard expansion anyway, so it's pretty moot.

quzah: I tell exactly, no telling is good enough if you dont read the post. It was never about wrong number of arguments. Read it again.

tabstop: Alright. But as it happens I get the right number of arguments, just a file-name instead of the second parameter (including file name) if that parameter is * followed by a character who happens be the last character of a file in the current directory.

What does wildcard expansion mean?

Originally Posted by Hear.Me.ROAR

What does wildcard expansion mean?

So, have you ever used a computer before?

For many commands, it would be tiresome to list all the files that you want that command to affect (for instance, in the case of dir, the whole point is to find out what files are there). So you can type "dir *.*" to list all the files in that directory, or "dir *.c" to list all the files with a .c extension, or "rm fy9?budget.xls" to get rid of all the budgets from the nineties.

If you are only getting one filename, that must mean there's only one file that matches, and that's not a state of affairs that will last very long (e.g. if you have two C files, then *c will match (at least) two files).

When I have two files that match, it pick the first one in alphabetic order. But what I wonder is, why wont I just get my character as it is? Is * threatened differently, as a way to communicate with the shell on the go?

Originally Posted by tabstop

So, have you ever used a computer before?

I would be surprised if the percentage of people that have used a computer in the past decade, that have used a command line, broke the single digit range.


Quzah.

Originally Posted by Hear.Me.ROAR

When I have two files that match, it pick the first one in alphabetic order. But what I wonder is, why wont I just get my character as it is? Is * threatened differently, as a way to communicate with the shell on the go?

Are you sure? Are you really really really really sure? Print out argc and all your argv's and see. I'll bet you see them all.

Originally Posted by quzah

I would be surprised if the percentage of people that have used a computer in the past decade, that have used a command line, broke the single digit range.


Quzah.

This is probably true, alas. I was going to say something about all the Linux users in the world, but I wonder how many of them use CLI even.

Originally Posted by Hear.Me.ROAR

tabstop: Alright. But as it happens I get the right number of arguments, just a file-name instead of the second parameter (including file name) if that parameter is * followed by a character who happens be the last character of a file in the current directory.

What does wildcard expansion mean?

Type WIN+R in the Run dialog type CMD and click OK... now type cmd /? and start reading...
The guys are steering you in the right direction.

If you put a * on your command line it will be replaced by the first filename it finds.