C 中的 malloc() 内存损坏答案

【问题标题】：malloc() memory corruption in CC 中的 malloc() 内存损坏
【发布时间】：2015-10-15 05:57:35
【问题描述】：

malloc() 在以下代码中给了我一个错误。我使用了 valgrind，但仍然无济于事。我是 C 的初学者，我的队友和我正在尝试实现 SHA1 算法，但有些东西我们都无法理解，并且已经花了几个小时。这是有错误的函数 -

/*
 * Returns an array of chunks on the heap from the message
 */

static unsigned char **sha1_chunkify(const unsigned char *message, const uint64_t message_length)
{
    long num_chunks = message_length / 64;    //breaking it down into 64 byte chunks
    printf("%lu %ld\n", message_length, num_chunks);
    unsigned char **chunks = malloc (num_chunks * sizeof(*chunks)); //Error is coming over here

    for (int i = 0; i < num_chunks; i++) {
        chunks[i] = malloc (64 * sizeof(*chunks[i])); //Or sometimes over here.

        for (int j = 0; j < 64; j++) {
            chunks[i][j] = message[64 * i + j];
        }
    }

    return chunks;
}

这是这些行的 gdb 输出 -

117     printf("%lu %ld\n", message_length, num_chunks);
(gdb) 
1472 23
118     unsigned char **chunks = (unsigned char **) malloc (num_chunks * sizeof(*chunks));
(gdb) 
*** Error in `/home/username/Desktop/Project_VCS/a.out': malloc(): memory corruption: 0x000000000060cac0 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.

Valgrind 显示如下 -

3
mytry.c
==16688== Invalid write of size 1
==16688==    at 0x401EA6: append_zeroes (sha1.c:155)
==16688==    by 0x401F1D: sha1_pad (sha1.c:177)
==16688==    by 0x401FB7: sha1 (sha1.c:200)
==16688==    by 0x400C72: snap_file (snap.c:40)
==16688==    by 0x4012F7: snap (snap.c:143)
==16688==    by 0x401852: snap_all (snap.c:220)
==16688==    by 0x40222E: main (nako.c:24)
==16688==  Address 0x5220720 is 0 bytes after a block of size 1,408 alloc'd
==16688==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16688==    by 0x401F7B: sha1 (sha1.c:195)
==16688==    by 0x400C72: snap_file (snap.c:40)
==16688==    by 0x4012F7: snap (snap.c:143)
==16688==    by 0x401852: snap_all (snap.c:220)
==16688==    by 0x40222E: main (nako.c:24)
==16688== 
==16688== Invalid write of size 1
==16688==    at 0x401E6A: append_msg_len (sha1.c:142)
==16688==    by 0x401F34: sha1_pad (sha1.c:179)
==16688==    by 0x401FB7: sha1 (sha1.c:200)
==16688==    by 0x400C72: snap_file (snap.c:40)
==16688==    by 0x4012F7: snap (snap.c:143)
==16688==    by 0x401852: snap_all (snap.c:220)
==16688==    by 0x40222E: main (nako.c:24)
==16688==  Address 0x5220758 is not stack'd, malloc'd or (recently) free'd
==16688== 
1472 23

valgrind: m_mallocfree.c:277 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.

==16688==    at 0x38050BAC: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==16688==    by 0x38050D06: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==16688==    by 0x3805B36A: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==16688==    by 0x3805D2D7: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==16688==    by 0x380216D4: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==16688==    by 0x380218A2: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==16688==    by 0x3809DC03: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==16688==    by 0x380AC87C: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)

sched status:
running_tid=1

Thread 1: status = VgTs_Runnable
==16688==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16688==    by 0x401D94: sha1_chunkify (sha1.c:118)
==16688==    by 0x401FCA: sha1 (sha1.c:202)
==16688==    by 0x400C72: snap_file (snap.c:40)
==16688==    by 0x4012F7: snap (snap.c:143)
==16688==    by 0x401852: snap_all (snap.c:220)
==16688==    by 0x40222E: main (nako.c:24)

我已经经历了几个线程，但错误仍然存在。如果之前有人问过，我很抱歉。我找不到相同的。提前谢谢你。

这里是函数 append_zeroes 和 append_msg_len -

/*
 * Pad the message with its length.
 * The input lengths are in bytes, while the padding, in accordance with
 * the SHA1 algorithm, is done in bits.
 */
static inline void append_msg_len(unsigned char *message,
                  uint64_t *message_length,
              uint64_t original_msglen)
{
    int shift = 56;
    while (shift >= 0) {
        /* Add the next 8 bits. */
         message[*message_length] = (8 * original_msglen >> shift) & 0xff;
         shift -= 8;
    *message_length += 1;
    }
}

/*
 * Appends enough zeroes until the message has just enough room for appending
 * the message length, i.e, length 448 mod 512
 */
static inline void append_zeroes(unsigned char *message, uint64_t *message_length)
{
    while (*message_length % 64 != 56) {
        message[*message_length] = (unsigned char) 0x00;
        *message_length += 1;
    }
}

【问题讨论】：

valgrind 输出非常清楚地表明问题不在于您发布的代码，而在于 append_zeroes()。
这一行：long num_chunks = message_length / 64; 是一个整数除法，因此会导致 num_chunks 比实际的块数少 1，因为任何分数都被截断了
发布的代码包含magic 编号64。使用magic 编号会使代码更难理解，并且在执行维护时会引起很大的麻烦。强烈建议使用枚举或#define 创建一个有意义的名称，并在整个代码中使用该有意义的名称。
@user3629249：不，那行完全没问题。
建议将：long num_chunks = message_length / 64 替换为：long num_chunks = (message_length+63) / 64

标签： c memory malloc sha1 memory-corruption

【解决方案1】：

看这段代码：

long num_chunks = message_length / 64;    //breaking it down into 64 byte chunks

如果我们使用message_length = 63，例如，num_chunks 变为零，这显然是错误的。如果你改用：

long num_chunks = (message_length + 63) / 64;    //breaking it down into 64 byte chunks

您将获得正确数量的块，并希望您的其余代码表现良好。

【讨论】：

只有在 message_length 不是 64 的倍数并且会（在此代码中）导致一些数据丢失时，这才是一个问题，这将是错误的，但是不会导致所问的错误。此函数中的代码不会写入超出分配空间的末尾。
假设message_length 并不总是64 的倍数，我想其他代码（例如append_zeros）可以正确计算块并尝试使用未分配的块？但我们猜测没有append_zeros 代码。
当然可以。 invalid write 位置有相当多的堆栈跟踪，问题可能出在任何地方...