PDA

View Full Version : sprintf getenv buffer overflow



bue
08-11-2005, 08:20 AM
Hi,

I'm a newbie in c programming and I have all the time bufferoverflow problems, especially using sprintf and getenv :

here is a line that make problem :
variable = getenv("TS_VERSION");


sprintf(query,"INSERT test Set test=\'programmec\',lastupdate=now(),ipaddress='%s ',macid='test'",getipaddress("eth0"))

I'm not sure but I think the problem comes from this lines...

Could it be because I have to big variables, or too many ?

jim mcnamara
08-11-2005, 09:31 AM
if

char *variable
is what is in


variable=getenv("SOME_NAME");
then it will work as long as you check it for NULL before you try to reference it. Please post the rest of the code for the function this lives inside of.

Salem
08-11-2005, 10:39 AM
char*query;
would be a big no-no as well.

Use an array, and use snprintf() if you can

bue
08-12-2005, 01:23 AM
I've tried to debug with valgrind, its says :

==2294== Conditional jump or move depends on uninitialised value(s)
==2294== at 0x1B99798E: (within /lib/tls/libc-2.3.2.so)
==2294== by 0x1B98B644: vsprintf (in /lib/tls/libc-2.3.2.so)
==2294== by 0x1B97593C: sprintf (in /lib/tls/libc-2.3.2.so)
==2294== by 0x80496C1: main (mysql_exemple.c:40)
==2294==
==2294== Conditional jump or move depends on uninitialised value(s)
==2294== at 0x1B9965AD: _IO_default_xsputn (in /lib/tls/libc-2.3.2.so)
==2294== by 0x1B96D240: vfprintf (in /lib/tls/libc-2.3.2.so)
==2294== by 0x1B98B65A: vsprintf (in /lib/tls/libc-2.3.2.so)
==2294== by 0x1B97593C: sprintf (in /lib/tls/libc-2.3.2.so)
==2294== by 0x80496C1: main (mysql_exemple.c:40)
==2294==
==2294== Conditional jump or move depends on uninitialised value(s)
==2294== at 0x1B997AE0: _IO_str_overflow (in /lib/tls/libc-2.3.2.so)
==2294== by 0x1B996607: _IO_default_xsputn (in /lib/tls/libc-2.3.2.so)
==2294== by 0x1B96D240: vfprintf (in /lib/tls/libc-2.3.2.so)
==2294== by 0x1B98B65A: vsprintf (in /lib/tls/libc-2.3.2.so)
==2294== by 0x1B97593C: sprintf (in /lib/tls/libc-2.3.2.so)
==2294== by 0x80496C1: main (mysql_exemple.c:40)

I think I've not understand how to use properly the print functions.. ?
Here is my code (line 40 is in red)


#include <mysql/mysql.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

/* Les parametres ci-dessous sont a adapter a votre situation */
#define MY_SERVER_HOST "ocs"
#define MY_SERVER_PORT 0
#define MY_ACCOUNT "test"
#define MY_PASS "test"
#define MY_DB_NAME "ocs"
#define MY_TABLE_NAME "test"
#define MY_UX_SOCK NULL
#define MY_CLIENT_FLAG 0


int main(){
MYSQL *mysql;
MYSQL_RES *res;
MYSQL_ROW row;
char *query;
unsigned int t, f;
// char * tsversion;
char * variable;
char * ipaddress;

mysql=mysql_init(NULL);
if (!mysql_real_connect(mysql,MY_SERVER_HOST,MY_ACCOU NT,MY_PASS,
MY_DB_NAME,MY_SERVER_PORT,MY_UX_SOCK,MY_CLIENT_FLA G)) {
printf( "Erreur de connexion : %s\n",mysql_error(mysql));
} else {
printf("Connexion etablie...\n");

sprintf(query,"select * from %s", MY_TABLE_NAME);
printf("Requete : %s", query);

t=mysql_real_query(mysql, query, (unsigned int) strlen(query));
if (t) {
printf("Erreur dans la requete : %s\n", mysql_error(mysql));
} else {
if((res=mysql_use_result(mysql))) {
printf("Resultat de la requete :\n");
f=mysql_num_fields(res);
while((row=mysql_fetch_row(res))) {
for(t=0;t<f;t++) {
printf("\t%s",row[t]);
}
printf("\n");
}
mysql_free_result(res);
}
else {
printf("Erreur de recuperation du resultat : %s\n", mysql_error(mysql));
}
}

//ipaddress = getipaddress("eth0");
sprintf(query,"INSERT test Set test=\'programmec\',lastupdate=now(),ipaddress='%s ',macid='%s'",getipaddress("eth0"),get$
t=mysql_real_query(mysql, query, (unsigned int) strlen(query));
printf("\n");
if (t) {
printf("Erreur lors de l'ajout %s" , mysql_error(mysql));
} else {
printf("L'ajout semble avoir marché\n");
}
}
printf("\nl'adresse ip est : %s\n",getipaddress("eth0"));
printf("\nl'adresse mac est : %s\n",getmac("eth0"));
mysql_close(mysql);
exit(EXIT_SUCCESS);
}

Salem
08-12-2005, 07:03 AM
> char *query;
See, I told you about this hole before you even posted your code, but you went ahead anyway and jumped right in.

bue
08-15-2005, 05:23 AM
Sorry but I don't know how...
Can you just show me how to use an array and snprint ?


I've a second problem, whe I uncomment the line with
ipaddress = getipaddress("eth0")

the error in englisch maybe something like "incompatible type"
I don't understand, getipaddress("eth0") is supposed returning a char * , and so is also defined ipaddress ??

Salem
08-15-2005, 06:06 AM
char query[1000];
sprintf(query,"select * from %s", MY_TABLE_NAME);

Or better
snprintf(query,sizeof(query),"select * from %s", MY_TABLE_NAME);

Even better yet, check the return results as well.

bue
08-15-2005, 07:17 AM
thank you for that explanation...
It seems that I have the same problem for the return value, but if I return the buffer for the function, I get an error, I seems I need to use a function like
return(getval(query));
??
I know getval doesn't exists here but it is to illustrate...