在堆栈内插器的Java砸 [英] Stack Smashing in Java Interposer

问题描述

我写一个Java插修改网络通信相关的系统调用。基本上，我想要修改的预期接收者的IP地址和端口

I am writing a Java interposer to modify network communication related system calls. Basically, I want to modify the IP and port of the intended recipient.

在code正常工作在我的笔记本电脑，但大学的PC上，它给出了一个堆栈溢出错误为：

The code works correctly on my laptop, but on university PC, it gives a stack smashing error as:

*** stack smashing detected ***: java terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xb7702dd5]
/lib/i386-linux-gnu/libc.so.6(+0xffd8a)[0xb7702d8a]
/home/mwaqar/vibe/ldinterposer_2.so(+0x28e4)[0xb77c98e4]
/home/mwaqar/vibe/ldinterposer_2.so(connect+0x9c5)[0xb77c9093]
/usr/lib/jvm/java-7-openjdk-i386/jre/lib/i386/libnet.so(+0xceff)[0x8b226eff]
/usr/lib/jvm/java-7-openjdk-i386/jre/lib/i386/libnet.so(Java_java_net_PlainSocketImpl_socketConnect+0x4c1)[0x8b227c51]

相关code（连接系统调用的插入）如下：

The relevant code (interposition of connect system call) is as follows:

int connect(int fd, const struct sockaddr *sk, socklen_t sl)
{
struct sockaddr_in      *lsk_in  = (struct sockaddr_in *)  sk;
struct sockaddr_in6     *lsk_in6 = (struct sockaddr_in6 *) sk;

struct sockaddr_in      addr4;

unsigned int            len;
int                     nbytes, oport, tport, ret, i;
char                    ip_address[30];
char                    buffer[1024];   
char                    tempBuffer[1024];   

if((lsk_in->sin_family == AF_INET) || (lsk_in->sin_family == AF_INET6))
{
    if(lsk_in->sin_family == AF_INET)
    {
        oport = ntohs(lsk_in->sin_port);
        memcpy(&addr4.sin_addr.s_addr, &lsk_in->sin_addr.s_addr, sizeof(addr4.sin_addr.s_addr));
    }
    else if(lsk_in->sin_family == AF_INET6)
    {
        oport = ntohs(lsk_in6->sin6_port);
        memcpy(&addr4.sin_addr.s_addr, lsk_in6->sin6_addr.s6_addr+12, sizeof(addr4.sin_addr.s_addr));
    }

    memset(buffer, '\0', sizeof(buffer));
    sprintf(buffer, "%s%c%s%c%i", NAT_VM_CONNECT_RULE, NAT_VM_DELIMITER, (char *)inet_ntoa(addr4.sin_addr), NAT_VM_DELIMITER, oport);

    nbytes = send(sock, buffer, strlen(buffer), 0);
    if(DEBUG_MODE)
        fprintf(stdout, "[LD_INTERPOSER] Sent[%s]\n", buffer);

    memset(buffer, '\0', sizeof(buffer));
    nbytes = recv(sock, buffer, sizeof(buffer), 0);

    fprintf(stderr, "[LD_INTERPOSER] Received CONNECT [%s]\n", buffer);

    memset(ip_address, '\0', sizeof(ip_address));
    int pos = strrchr(buffer, NAT_VM_DELIMITER) - buffer;

    strncpy(ip_address, buffer, pos);
    ip_address[pos] = '\0';
    tport = atoi(buffer + pos + 1);

    if(lsk_in->sin_family == AF_INET)
    {
        lsk_in->sin_addr.s_addr = inet_addr(ip_address + 7);
        lsk_in->sin_port = htons(tport);
    }
    else if(lsk_in->sin_family == AF_INET6)
    {
        inet_pton(AF_INET6, ip_address, &(lsk_in6->sin6_addr));
        lsk_in6->sin6_port = htons(tport);
    }

    fprintf(stderr, "[LD_INTERPOSER] IP[%s], Port[%d] for VM[%s]\n", ip_address, tport, vm_ip);
}

int my_ret = real_connect(fd, sk, sl);
fprintf(stderr, "Done\n");
return my_ret;
}

在这里，袜子是我的共享库的构造。

该程序正常工作和版画的完成。在最后（返回）线，它给人的栈溢出错误。我不知道是什么原因造成这一点。

The program works correctly and prints Done. On the last (return) line, it gives the stack smashing error. I have no idea what is causing this.

推荐答案

我怀疑 strrcr 收益 NULL 中行

int pos = strrchr(buffer, NAT_VM_DELIMITER) - buffer;

然后 POS 将是巨大的，而其后的行读写无效的地址。

Then pos will be huge, and the following lines will read and write invalid addresses.

经常检查功能（特别是当他们从你的程序外部接收的数据运行）的返回值。结果

Always check the return value of functions (especially when they're run on data received from outside your program).

此外，正如我在评论中写道，千万不要用的sprintf 。我不知道如果失败了，因为我不知道什么是 NAT_VM_CONNECT_RULE 做的。即使你数字节，知道你行，你还是要小心，并使用的snprintf 代替。

Also, as I wrote in my comment, never use sprintf. I can't tell if it fails, because I don't know what's NAT_VM_CONNECT_RULE. Even if you counted the bytes and know you're OK, you should still be careful and use snprintf instead.

这篇关于在堆栈内插器的Java砸的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！