Thread: sprintf getenv buffer overflow

  1. #1
    Registered User
    Join Date
    Aug 2005
    Posts
    5

    sprintf getenv buffer overflow

    Hi,

    I'm a newbie in c programming and I have all the time bufferoverflow problems, especially using sprintf and getenv :

    here is a line that make problem :
    variable = getenv("TS_VERSION");


    sprintf(query,"INSERT test Set test=\'programmec\',lastupdate=now(),ipaddress='%s ',macid='test'",getipaddress("eth0"))

    I'm not sure but I think the problem comes from this lines...

    Could it be because I have to big variables, or too many ?

  2. #2
    .
    Join Date
    Nov 2003
    Posts
    307
    if
    Code:
    char *variable
    is what is in
    Code:
    variable=getenv("SOME_NAME");
    then it will work as long as you check it for NULL before you try to reference it. Please post the rest of the code for the function this lives inside of.

  3. #3
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    char*query;
    would be a big no-no as well.

    Use an array, and use snprintf() if you can
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  4. #4
    Registered User
    Join Date
    Aug 2005
    Posts
    5
    I've tried to debug with valgrind, its says :

    ==2294== Conditional jump or move depends on uninitialised value(s)
    ==2294== at 0x1B99798E: (within /lib/tls/libc-2.3.2.so)
    ==2294== by 0x1B98B644: vsprintf (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x1B97593C: sprintf (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x80496C1: main (mysql_exemple.c:40)
    ==2294==
    ==2294== Conditional jump or move depends on uninitialised value(s)
    ==2294== at 0x1B9965AD: _IO_default_xsputn (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x1B96D240: vfprintf (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x1B98B65A: vsprintf (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x1B97593C: sprintf (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x80496C1: main (mysql_exemple.c:40)
    ==2294==
    ==2294== Conditional jump or move depends on uninitialised value(s)
    ==2294== at 0x1B997AE0: _IO_str_overflow (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x1B996607: _IO_default_xsputn (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x1B96D240: vfprintf (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x1B98B65A: vsprintf (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x1B97593C: sprintf (in /lib/tls/libc-2.3.2.so)
    ==2294== by 0x80496C1: main (mysql_exemple.c:40)

    I think I've not understand how to use properly the print functions.. ?
    Here is my code (line 40 is in red)

    Code:
    #include <mysql/mysql.h>
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    
    /* Les parametres ci-dessous sont a adapter a votre situation */
    #define MY_SERVER_HOST "ocs"
    #define MY_SERVER_PORT 0
    #define MY_ACCOUNT "test"
    #define MY_PASS "test"
    #define MY_DB_NAME "ocs"
    #define MY_TABLE_NAME "test"
    #define MY_UX_SOCK NULL
    #define MY_CLIENT_FLAG 0
    
    
    int main(){
       MYSQL *mysql;
       MYSQL_RES *res;
       MYSQL_ROW row;
       char *query;
       unsigned int t, f;
    //   char * tsversion;
       char * variable;
       char * ipaddress;
    
       mysql=mysql_init(NULL);
       if (!mysql_real_connect(mysql,MY_SERVER_HOST,MY_ACCOUNT,MY_PASS,
            MY_DB_NAME,MY_SERVER_PORT,MY_UX_SOCK,MY_CLIENT_FLAG)) {
           printf( "Erreur de connexion : %s\n",mysql_error(mysql));
       } else {
          printf("Connexion etablie...\n");
    
          sprintf(query,"select * from %s", MY_TABLE_NAME);
          printf("Requete : %s", query);
    
          t=mysql_real_query(mysql, query, (unsigned int) strlen(query));
          if (t) {
             printf("Erreur dans la requete : %s\n", mysql_error(mysql));
          } else {
             if((res=mysql_use_result(mysql))) {
                printf("Resultat de la requete :\n");
                f=mysql_num_fields(res);
                while((row=mysql_fetch_row(res))) {
                  for(t=0;t<f;t++) {
                    printf("\t%s",row[t]);
                  }
                  printf("\n");
                }
                       mysql_free_result(res);
             }
             else {
               printf("Erreur de recuperation du resultat : %s\n", mysql_error(mysql));
             }
          }
    
    //ipaddress = getipaddress("eth0");
          sprintf(query,"INSERT test Set test=\'programmec\',lastupdate=now(),ipaddress='%s',macid='%s'",getipaddress("eth0"),get$
          t=mysql_real_query(mysql, query, (unsigned int) strlen(query));
          printf("\n");
          if (t) {
            printf("Erreur lors de l'ajout %s" , mysql_error(mysql));
          } else {
            printf("L'ajout semble avoir marché\n");
          }
       }
    printf("\nl'adresse ip est : %s\n",getipaddress("eth0"));
    printf("\nl'adresse mac est : %s\n",getmac("eth0"));
       mysql_close(mysql);
       exit(EXIT_SUCCESS);
    }

  5. #5
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    > char *query;
    See, I told you about this hole before you even posted your code, but you went ahead anyway and jumped right in.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  6. #6
    Registered User
    Join Date
    Aug 2005
    Posts
    5
    Sorry but I don't know how...
    Can you just show me how to use an array and snprint ?


    I've a second problem, whe I uncomment the line with
    ipaddress = getipaddress("eth0")

    the error in englisch maybe something like "incompatible type"
    I don't understand, getipaddress("eth0") is supposed returning a char * , and so is also defined ipaddress ??

  7. #7
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    char query[1000];
    sprintf(query,"select * from %s", MY_TABLE_NAME);

    Or better
    snprintf(query,sizeof(query),"select * from %s", MY_TABLE_NAME);

    Even better yet, check the return results as well.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  8. #8
    Registered User
    Join Date
    Aug 2005
    Posts
    5

    ok for snprintf

    thank you for that explanation...
    It seems that I have the same problem for the return value, but if I return the buffer for the function, I get an error, I seems I need to use a function like
    return(getval(query));
    ??
    I know getval doesn't exists here but it is to illustrate...

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Sprintf overflows my buffer -- why?
    By Lasston in forum C Programming
    Replies: 26
    Last Post: 06-20-2008, 04:33 PM
  2. Replies: 16
    Last Post: 10-29-2006, 05:04 AM
  3. Buffer overflow errors
    By EvBladeRunnervE in forum C Programming
    Replies: 2
    Last Post: 03-17-2004, 04:58 PM
  4. Buffer overflow issue.
    By caroundw5h in forum C Programming
    Replies: 3
    Last Post: 12-27-2003, 12:13 PM
  5. Console Screen Buffer
    By GaPe in forum Windows Programming
    Replies: 0
    Last Post: 02-06-2003, 05:15 AM