Memory corruption
Memory corruption is a process of unintentionally alterting a random area of memory by a program or process. A program written with C programming language can corrupt memory in different areas and in different ways. Memory Memory corruption creates many problems and program execution faces many abnormal behavior. It can set unpredictable values to next memory elements; it can set invalid pointer values; and worst of all, it can corrupt dynamic memory allocator thus causing crash/core-dump of the application/process. It can corrupt stack and alter the return address or stack pointer. Program can hang or crash with core-dump. Pointer variable can point to a invalid memory location which can cause access violation and a crash. Memory corruption may occur because of poor array buffer handling or some abnormal runtime use-cases.
Global variable corruption (array out of bound access)
Here we have two variables in global scope. Second variable is located after the boundary of first array. This first arrary has 10 elements so the lower bound is 0 and upper bound is 9. For loop should be in the boundary between 0 to 9. A bad programming logic can access a position which will be beyond the boundary of first array. Poorly written for loop access 11th element (10th offset in C).
$ ./a.out Var 2 = 0 Var1[0] = 0 Var1[1] = 1 Var1[2] = 2 Var1[3] = 3 Var1[4] = 4 Var1[5] = 5 Var1[6] = 6 Var1[7] = 7 Var1[8] = 8 Var1[9] = 9 Var1[10] = 10 Var 2 = 10 $
Global variable corruption (using strings)
Here we have two variables in global scope. First one is a string i.e. array of char and there is a integer after that. The string functions should be used in such a way that it should stay in the boundary of 10 bytes. Here gets function has been used which is harmfull if user enters any string beyond 10 characters. This below program work fine when user enters a string of length 9 or below. A string beynd 9 or more should corrupt var2.
$ ./a.out Var 2 = 0 warning: this program uses gets(), which is unsafe. Enter a string : I am corrupting global variable. Var 2 = 543649385 $
Local variable corruption (using strings)
We are now seeing one example with local variables. Local variables are placed in program stack. Stack grows in opposite direction in the memory. Here we have taken a variable var2 of type integer and then there is a character var1. We are using strcpy to copy a string to var1. It is a character so copying a string will corrupt the next located integer var2.
Var 2 = 0 Var 2 = 1869376613
Heap variable corruption (using strings)
Dynamic memory allocation and management is common in application programming. We use malloc()/calloc() for memory allocation and use free() for deallocation.
In normal situations we use memory in blocks. We never access or modify beyond the range or boundary. But sometimes it may happen that we access array elements beyond the array limit. These situations create memory corruption.
This program allocates memory to the nodes of a linked list of student records. Student data-structure has id, name and age as member variable. It accepts name and age from user and sets these values to the nodes.
In the normal run, we usually give small names like Student1, Student2 etc. As a result this program does not cause any memory corruption.
Here we are assuming that name should be less than 20 char long. But user may give very long names and we are not taking precautions to avoid such situations. Thus when user gives a name longer than 20 char, it creates memory corruption.
Here we will discuss some aspects of checking integrity of memory chunks.
Guard buffer with signature
Here we are allocating some extra memory at the beginning and at the end of each memory unit. After allocation we are applying some character pattern to this extra memory.
This helps us to detect the corruption. When anyone writes beyond the allocated memory blocks, these character patterns will be modified and we can easily detect the corruption. Please note that this memory corruption checker is very tricky and may not work in all situations.
Allocated blocks will look like this-
"XYXYXYXY<- BUFFER 1->XYXYXYXY""XYXYXYXY<- BUFFER 2->XYXYXYXY"
When buffer2 will overflow, it will corrupt/overwrite trailing pattern and memory block will look like
"XYXYXYXY<- BUFFER 1->XYXYXYXY""XYXYXYXY<- BUFFER 2 ->XYXY"
Functions:
- mem_alloc() - This allocates memory using malloc() with 16 extra bytes. Then it sets 8 byte pattern at the beginning and end of the buffer. It returns the buffer to the user. It uses m_ctx array to save this info to track all memory allocation from user.
- mem_free()-This deallocates memory and sets the m_ctx object as not allocated context.
- mem_check()- We are tracking all memory allocation with m_ctx array thus this function iterates all memory blocks and checks the beginning and end pattern of each memory buffer. If one or more pattern is not correct, it means that the memory block has some corruption.
Detect corruption - Program output
Add a new student record(y/n) ?y Name:student1 Age:12 Add a new student record(y/n) ?y Name:student2 Age:13 Add a new student record(y/n) ?y Name:ABCDEFGHIJKLMNOPQRSTUVWXYZ Age:12 Address 0x0x91fc0d0, allocated at mem_chk.c:120:main() is corrupted. Add a new student record(y/n) ?
Detect corruption - Source Code
About our authors: Team EQA
You have viewed 1 page out of 252. Your C learning is 0.00% complete. Login to check your learning progress.
Further readings
Construct your own strcpy and strcat/implementation of strcpy, strcat function in C
strcpy, strcat implementation in c using pointers, strncpy, strcat implementation in c, strcmp, strcat implementation in c, strcat implementation in c, implementation of strcpy, strcat function in c
memmove vs memcpy how different? implement your own code?
memmove vs memcpy, memmove and memcpy difference understanding overlapping memory with diagram. Implement your own memmove memcpy. example source code
How exceptions are handled in C? (return check, exit to OS in fatal error, NULL check, setjmp-longjmp)
Describes how exceptions are handled in C. return check for success, exit to OS in case of fatal error, NULL pointer check, try-catch like exception handling with setjmp-longjmp
What is setjmp and longjmp in C? How to handle C++ like try-catch exceptions in C?
Describes C++ like try-catch exception handling in C with setjmp and longjmp. setjmp saves context and longjmp reverts context back in error with source code example
What is memory leak? How to check memory leak in c program?
memory leak in c, how to check memory leak in c program, how to avoid memory leak in c, how to debug memory leak in c, memory leak example