Thread: string iterator not dereferencable

What is xstring? Is this a runtime or a compile-time error? (OK, this one is implied.) On what exact line to you get it?

Anyway, you don't have any guarantee that buf is 0-terminated. Even it is under regular circumstances, that's still a gaping security hole.

Yes its a runtime error and im still very new to c++ but I found this about xstring:

XString or the "Extended String Class" is a generic C++ class that can handle both ASCII and UNICODE strings.

This is the piece of code where the debugger points me:

Code:

#if _HAS_ITERATOR_DEBUGGING
		if (this->_Mycont == 0 || _Myptr == 0
			|| _Myptr < ((_Mystring *)this->_Mycont)->_Myptr()
			|| ((_Mystring *)this->_Mycont)->_Myptr()
				+ ((_Mystring *)this->_Mycont)->_Mysize <= _Myptr)
			{
			_DEBUG_ERROR("string iterator not dereferencable");
			_SCL_SECURE_OUT_OF_RANGE;
			}
		__analysis_assume(_Myptr != 0);

It points to: _DEBUG_ERROR("string iterator not dereferencable");

And yes it is 0-terminated. Here's the contents of the file UDPReader.cpp.

Code:

#include "UDPReader.h"
#include "OgreBasis.h"

UDPReader::UDPReader(char* host, int port) {

	this->host = host;
	this->port = port;
	this->udpDispatcher = Globals::om->getObservable("udpDispatcher");

}

void UDPReader::run() {

	long rc;
	SOCKET s;
	char buf[256];
	SOCKADDR_IN addr;
	SOCKADDR_IN remoteAddr;
	int remoteAddrLen=sizeof(SOCKADDR_IN);
	char message[1024];

	s=socket(AF_INET,SOCK_DGRAM,0);

	if(s == INVALID_SOCKET) {
		//sprintf(message, "Error: Socket couldnot be created, error code: %d\n",WSAGetLastError());
		//Globals::ogreBasis->mFrameListener->mDebugText = "Error: Socket couldnot be created, error code: ";

	} else {
		//sprintf(message, "UDP Socket created!\n");
		//Globals::ogreBasis->mFrameListener->mDebugText = "UDP Socket created!";

	}

	addr.sin_family=AF_INET;
	addr.sin_port=htons(this->port);

	u_long host_addr = inet_addr(this->host.c_str());   
    u_long net_mask = inet_addr("255.255.255.0");   
    u_long net_addr = host_addr & net_mask;         // 172.16.64.0
    u_long dir_bcast_addr = net_addr | (~net_mask); // 172.16.95.255

	addr.sin_addr.s_addr=htonl(INADDR_ANY);

	rc=bind(s,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN));

	if(rc == SOCKET_ERROR) {

		//sprintf(message, "Error: bind, error code: %d\n",WSAGetLastError());
		//Globals::ogreBasis->mFrameListener->mDebugText = "Error: bind, error code: ";
  
	} else {

		//sprintf(message, "Socket bound to port %d\n", this->port);
		//Globals::ogreBasis->mFrameListener->mDebugText = "Socket bound to port ";
  
	}

	while(repeat) {

		rc=recvfrom(s,buf,256,0,(SOCKADDR*)&remoteAddr,&remoteAddrLen);
    
		if(rc == SOCKET_ERROR) {

			//sprintf(message, "Error: recvfrom, error code: %d\n",WSAGetLastError());
			//Globals::ogreBasis->mFrameListener->mDebugText = "Error: recvfrom, error code: ";
    
		} else {

			//sprintf(message, "%d Bytes received!\n", rc);
			//Globals::ogreBasis->mFrameListener->mDebugText = "Bytes received!";

			buf[rc]='\0';
		}

		//sprintf(message, "Received data: %s\n",buf);
		this->udpDispatcher->sendMessage(buf);
		

		sprintf(message, "Received data: %s\n",buf);
		Globals::ogreBasis->mFrameListener->mDebugText = message;
		//LogManager::getSingletonPtr()->logMessage(tmes);

		
	}

	_endthread();

}

And yes it is 0-terminated.

No, it's not. I can send your program 256 bytes of garbage and it will happily read those, and the memory beyond your 256-byte buffer too. At best, you'll get garbage output in the debug message. At worst, your program overwrites the stack with random (or is it?) data, leading to a crash or even a remote code execution.

OK, so you're dealing with an invalid iterator. Where? The debugger has a stack trace. Go up the stack frames until you get to code that you wrote. The likelyhood of there being such a bug in libstdc++ is low.

Well, the debugger should allow you to inspect buf and message in this function. You should be able to tell you whether they are valid.