Cprogramming - Buffer Overflow - fread.c and fvwrite.c sources

[nikunjbadjatya]

Hi All,

I am new to linux and Programming. Currently investigating on buffer overflow issues.
Inside the file src/lib/libc/stdio/fread.c, fvwrite.c . There is a memcpy function.

1. at line 81 in fread.c -
(void)memcpy((void *)p, (void *)fp->_p, (size_t)r);

2. and at line 168 in fvwrite.c.

Which requires understanding of FILE structure. and its various contents as defined in the file stdio.h like _p, _r, _flags etc.

I have written a sample code to find out the contents of the FILE structure.
It opens a sample file (by FILE *fp ), does some read/write operations on it. and at the end prints
fp->_p, fp->_r etc. contents.

But everytime it prints 0, or NULL for these values. !!!
I understand that the contents of FILE structure are implementation defined. I am having 32bit unix system, x86 processor.
How do I know the contents of FILE structure.?

Any idea.?

Thanks,

Nikunj
Bangalore, India

[Rubberman]

The structure of the FILE type (which is a macro or typedef, defined by something else, by the way) depends entirely upon the compiler and compiler version you are using. For example, the members of FILE that you reference are not there in current Linux/GNU standard C compiler headers. On Ubuntu 9.04 (which I am using right now) with the GNU 4.x compilers, FILE is defined by _IO_FILE which is a structure defined in /usr/include/libio.h. Here is the definition of that structure:

Code:

struct _IO_FILE {
  int _flags;           /* High-order word is _IO_MAGIC; rest is flags. */
#define _IO_file_flags _flags

  /* The following pointers correspond to the C++ streambuf protocol. */
  /* Note:  Tk uses the _IO_read_ptr and _IO_read_end fields directly. */
  char* _IO_read_ptr;   /* Current read pointer */
  char* _IO_read_end;   /* End of get area. */
  char* _IO_read_base;  /* Start of putback+get area. */
  char* _IO_write_base; /* Start of put area. */
  char* _IO_write_ptr;  /* Current put pointer. */
  char* _IO_write_end;  /* End of put area. */
  char* _IO_buf_base;   /* Start of reserve area. */
  char* _IO_buf_end;    /* End of reserve area. */
  /* The following fields are used to support backing up and undo. */
  char *_IO_save_base; /* Pointer to start of non-current get area. */
  char *_IO_backup_base;  /* Pointer to first valid character of backup area */
  char *_IO_save_end; /* Pointer to end of non-current get area. */

  struct _IO_marker *_markers;

  struct _IO_FILE *_chain;

  int _fileno;
#if 0
  int _blksize;
#else
  int _flags2;
#endif
  _IO_off_t _old_offset; /* This used to be _offset but it's too small.  */

#define __HAVE_COLUMN /* temporary */
  /* 1+column number of pbase(); 0 is unknown. */
  unsigned short _cur_column;
  signed char _vtable_offset;
  char _shortbuf[1];

  /*  char* _save_gptr;  char* _save_egptr; */

  _IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};