我正在尝试找到队列的 C 代码中的安全漏洞
我知道 malloc 部分有些可疑,但我很难看出其中的不安全之处:
//que structure
typedef struct queue{
int *que; // the actual array of queue elements
int head; // the head index in que of the queue
int count; /// number of elements in queue
int size; // max number of elements in queue
} QUEUE;
void qManage(QUEUE **qptr, int flag, int size){
if(flag){
/* allocate a new queue */
*qptr = malloc(sizeof(QUEUE));
(*qptr)->head = (*qptr)->count = 0;
(*qptr)->que = malloc(size * sizeof(int));
(*qptr)->size = size;
}
else{
/* delete the current queue */
(void) free((*qptr)->que);
(void) free(*qptr);
}
}
I know that there's something fishy about the malloc part, but I'm having trouble seeing what's unsafe about this:
//que structure
typedef struct queue{
int *que; // the actual array of queue elements
int head; // the head index in que of the queue
int count; /// number of elements in queue
int size; // max number of elements in queue
} QUEUE;
void qManage(QUEUE **qptr, int flag, int size){
if(flag){
/* allocate a new queue */
*qptr = malloc(sizeof(QUEUE));
(*qptr)->head = (*qptr)->count = 0;
(*qptr)->que = malloc(size * sizeof(int));
(*qptr)->size = size;
}
else{
/* delete the current queue */
(void) free((*qptr)->que);
(void) free(*qptr);
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
我很确定问题是这样的:
如果您为“size”传递负值会发生什么?另一个可能的问题是您在分配后没有检查
*qptr是否有NULL但是,这在实际代码中很少会出现问题,如果发生的话,您还需要担心其他错误。I'm pretty sure the problem this:
What happens if you pass a negative value for 'size'?Another possible issue is that you do not check
*qptrforNULLafter you allocate, however, rarely would that be a problem in actual code, if it would ever happen, you have other errors to worry about.