please wait
- Forum
- General C++ Programming
- "Stack smashing detected" -- Cannot func
"Stack smashing detected" -- Cannot functionalize a chunk of code
Mar 1, 2012 at 6:37pm
Hi all. I'm working on a pretty large project. Everything's going well except that I'm having a very strange problem trying to put a chunk of code into a separate function from main. I am communicating with a CrystalFontz-brand LCD screen + keypad unit which connects to the computer via USB. It communicates in a pretty simple packet/handshaking protocol, and I have defined a struct which generally describes a single packet of data to or from the unit:
Now, there are many points in time at which I need to wait for a keypress from the user. Getting input from the device is a several-step process, including using a CRC algorithm to verify data validity. So obviously I want to functionalize the process of getting a key from the user, into something called, say, crystal_keystroke(). Here is the process:
Most of this snippet isn't relevant to my problem -- it's just the logistics of communicating with the device -- suffice it to say that at the end of this snippet, a key on the CrystalFontz has been pressed and "keypress" contains an indicator telling me which one.
Now, this code works without a hitch *if* it's sitting right in main(). The problem is that if I try to put this *exact* same code into a separate function called crystal_keystroke(), change the last line to return response.data[0] as the result, and call "int keypress = crystal_keystroke()" from main, the program craps out with a backtrace and the complaint "Stack smashing detected." This seems to occur on the "return" line of crystal_keystroke(). I've read a little bit about what this means but I don't quite understand it, or why it's happening here. Apparently it has to do with addressing memory illegally (similar to a segfault, but somehow different), but I don't see any way I'm doing that.
Oddly (in my perception), I discovered that if I instantiate the crystal_packet struct on main's stack instead of on crystal_keystroke's stack, and pass it by reference to crystal_keystroke, everything works dandily. I.e., if I write the function like this:
And call it like this, from main():
Then it works without a hitch. The only thing I am trying to do differently from that is to instantiate the crystal_packet struct on crystal_keystroke's stack instead of main's stack, so that I don't have to keep a struct in memory on main's stack that I'm not using most of the time (and make main's code a bit bulkier). Why shouldn't I be able to do it that way? An additional bit of intrigue: I already have a *lot* of other functions, separate from main, that I'm using the same way as I'm trying to use crystal_keystroke(), that I've concocted for interfacing with the device in various ways. *They* instantiate crystal_packets on *their* stacks without a complaint...and I can run them as many times as I want! But a single call to crystal_keystroke() and everything explodes. Why can I not instantiate one on the stack of this function in particular?
If anyone can provide any help or insight it would be much appreciated. TIA!
|
|
Now, there are many points in time at which I need to wait for a keypress from the user. Getting input from the device is a several-step process, including using a CRC algorithm to verify data validity. So obviously I want to functionalize the process of getting a key from the user, into something called, say, crystal_keystroke(). Here is the process:
|
|
Most of this snippet isn't relevant to my problem -- it's just the logistics of communicating with the device -- suffice it to say that at the end of this snippet, a key on the CrystalFontz has been pressed and "keypress" contains an indicator telling me which one.
Now, this code works without a hitch *if* it's sitting right in main(). The problem is that if I try to put this *exact* same code into a separate function called crystal_keystroke(), change the last line to return response.data[0] as the result, and call "int keypress = crystal_keystroke()" from main, the program craps out with a backtrace and the complaint "Stack smashing detected." This seems to occur on the "return" line of crystal_keystroke(). I've read a little bit about what this means but I don't quite understand it, or why it's happening here. Apparently it has to do with addressing memory illegally (similar to a segfault, but somehow different), but I don't see any way I'm doing that.
Oddly (in my perception), I discovered that if I instantiate the crystal_packet struct on main's stack instead of on crystal_keystroke's stack, and pass it by reference to crystal_keystroke, everything works dandily. I.e., if I write the function like this:
|
|
And call it like this, from main():
|
|
Then it works without a hitch. The only thing I am trying to do differently from that is to instantiate the crystal_packet struct on crystal_keystroke's stack instead of main's stack, so that I don't have to keep a struct in memory on main's stack that I'm not using most of the time (and make main's code a bit bulkier). Why shouldn't I be able to do it that way? An additional bit of intrigue: I already have a *lot* of other functions, separate from main, that I'm using the same way as I'm trying to use crystal_keystroke(), that I've concocted for interfacing with the device in various ways. *They* instantiate crystal_packets on *their* stacks without a complaint...and I can run them as many times as I want! But a single call to crystal_keystroke() and everything explodes. Why can I not instantiate one on the stack of this function in particular?
If anyone can provide any help or insight it would be much appreciated. TIA!
Mar 1, 2012 at 7:14pm
Maybe you are accessing the array out of bounds
¿Can you show crystal_get(), please?
¿Can you show crystal_get(), please?
Mar 1, 2012 at 7:38pm
I can't see anything wrong with this particular code that would cause any problem, although you didn't show the code that supposedly caused it. Assuming it was the following:
it shouldn't be a problem. My first thought is that you have a problem elsewhere that only surfaces here when you modify the stack. That suggests to me that there is a previous function call that returned a pointer or reference to memory allocated on the stack which your code has stored.
|
|
it shouldn't be a problem. My first thought is that you have a problem elsewhere that only surfaces here when you modify the stack. That suggests to me that there is a previous function call that returned a pointer or reference to memory allocated on the stack which your code has stored.
Mar 1, 2012 at 11:22pmI can't see anything wrong with this particular code that would cause any problem, although you didn't show the code that supposedly caused it. Assuming it was the following:
|
Yes, this is exactly the problematic code. Let me point out again that it doesn't seem to happen until the return statement -- if I put a "printf("Made it here\n");" immediately before the return instruction, that printf is carried out. But it doesn't seem to make it back from the function to continue with main().
Maybe you are accessing the array out of bounds ¿Can you show crystal_get(), please? |
Sure, crystal_get() will follow. It's passed a crystal_packet by reference in which to store any complete packet received from the device, and it also gives back, as the function return value, a boolean indicating whether or not a full and good packet came in. I'd like to point out though that one of my other functions which instantiates a crystal_packet also uses crystal_get(), and I've tested it fairly vigorously since it is functioning as the heart and soul of input from the device. Of course, I am not so arrogant as to think therefore that nothing could *possibly* be wrong with it. ^_^
|
|
Thanks again for the willingness to help. :)
Mar 2, 2012 at 2:53am
Update: It's been pointed out to me that memcpy is unsafe on potentially-overlapping sections of memory, and that memmove accomplishes the same goal safely. I was previously unaware of that. The memcpy's have been changed to memmove's, and the error still occurs. I don't *think* (but again, I could be wrong) that the issue is with my crystal_get() function. I've experimented some more and found that another way to make the crystal_keystroke() function work is simply to heap-allocate the crystal_packet, like so:
But I shouldn't have to do this; I know that I need one and only one crystal_packet, so why can't I just create on the stack? In a nutshell, this ^ works fine, but the following causes "stack smashing detected" :
Why? o_O
|
|
But I shouldn't have to do this; I know that I need one and only one crystal_packet, so why can't I just create on the stack? In a nutshell, this ^ works fine, but the following causes "stack smashing detected" :
|
|
Why? o_O
Last edited on Mar 2, 2012 at 2:53am
Mar 2, 2012 at 10:42am
This has all the symptoms of a canary being overwritten. http://en.wikipedia.org/wiki/Buffer_overflow_protection#Canaries
In
the only local objects on the stack-frame are the crystal_packet and a canary; any buffer overflow will show up because the canary which is at an immediately higher address to the crystal_packet would get over-written. main() has a much larger stack frame, the canary may not immediately follow the crystal_packet object and an overflow by some number of bytes may go undetected. If the crystal_packet is allocated dynamically, the overflow takes place somewhere on the free store; again the canary is not tampered with and the buffer overflow goes undetected.
Make the following modification to crystal_get :
Type of
Run this tiny program and the precise problem with the original code would become apparent:
In
|
|
the only local objects on the stack-frame are the crystal_packet and a canary; any buffer overflow will show up because the canary which is at an immediately higher address to the crystal_packet would get over-written. main() has a much larger stack frame, the canary may not immediately follow the crystal_packet object and an overflow by some number of bytes may go undetected. If the crystal_packet is allocated dynamically, the overflow takes place somewhere on the free store; again the canary is not tampered with and the buffer overflow goes undetected.
Make the following modification to crystal_get :
|
|
Type of
&(result.data) is unsigned char (*pointer_to_array)[30] ;
&(result.data) + result.length would give an address that is equal to result.data + result.length * sizeof(result.data) or result.data + result.length * 30. A buffer overflow is the natural consequence. Run this tiny program and the precise problem with the original code would become apparent:
|
|
Last edited on Mar 2, 2012 at 11:11am
Mar 2, 2012 at 5:16pm
|
You're right! I was taking the address of result.data, when result.data itself is what I wanted (it being the pointer to the start of the array). Apparently that was my whole problem. Thanks very much. I feel pretty stupid now. 9_9 What I don't understand now is how I was getting away with everything else working properly, with that coding error in place....
Mar 3, 2012 at 3:50am
> What I don't understand now is how I was getting away with everything else working properly
You were not getting away with anything - it wasn't working properly. You were just plain unlucky that your testing didn't catch the error earlier.
You should probably write a simple simulator for the device (for example, one that reads and presents data from a test-file) and test your code using that.
You should certainly prefer type-safe C++ features over equivalent C features - then the C++ compiler can detect programming errors that would have gone undetected in C.
You were not getting away with anything - it wasn't working properly. You were just plain unlucky that your testing didn't catch the error earlier.
You should probably write a simple simulator for the device (for example, one that reads and presents data from a test-file) and test your code using that.
You should certainly prefer type-safe C++ features over equivalent C features - then the C++ compiler can detect programming errors that would have gone undetected in C.
|
|
Last edited on Mar 3, 2012 at 4:33am
Topic archived. No new replies allowed.