Forum: Ruby sprintf can not work in ruby c source?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
C2d178e0b16712c96db70c56095466a9?d=identicon&s=25 Haoqi Haoqi (haoqi)
on 2007-05-01 09:13
here is my simple test:
where is my mistake??

#include "ruby.h"
#include "stdio.h"
static VALUE
tests(){
   char *s1="a ";
    char *s2=" b";
  char *buf;
    sprintf(buf,"%s after %s",s1,s2);
    printf(buf);
  return Qnil;
}
void Init_hello(){
 rb_define_global_function("tests",tests,0);
}
481b8eedcc884289756246e12d1869c1?d=identicon&s=25 Francis Cianfrocca (blackhedd)
on 2007-05-01 09:19
(Received via mailing list)
On 5/1/07, Haoqi Haoqi <axgle@126.com> wrote:
>   char *buf;
>     sprintf(buf,"%s after %s",s1,s2);
>     printf(buf);
>   return Qnil;
> }
> void Init_hello(){
> rb_define_global_function("tests",tests,0);
> }



Um, you realize you're writing right into a random memory location? If
you're not an experienced C programmer, you may want to reconsider your
project to write a Ruby extension.
A206b73b6e5cb9ee80298ea247afe6b5?d=identicon&s=25 Maik Schmidt (Guest)
on 2007-05-01 09:30
(Received via mailing list)
In article <9d71df8a63af2a669698ea94c2a5111c@ruby-forum.com> Haoqi
Haoqi <axgle@126.com> wrote:

>     sprintf(buf,"%s after %s",s1,s2);
>     printf(buf);
>   return Qnil;
> }
> void Init_hello(){
>  rb_define_global_function("tests",tests,0);
> }
>
I guess your problem is that buf is an uninitialized pointer pointing to
an
arbitrary memory location. If you declare it like this
char buf[200]
your program should work.
C2d178e0b16712c96db70c56095466a9?d=identicon&s=25 Haoqi Haoqi (haoqi)
on 2007-05-01 09:30
Francis Cianfrocca wrote:
> On 5/1/07, Haoqi Haoqi <axgle@126.com> wrote:
>>   char *buf;
>>     sprintf(buf,"%s after %s",s1,s2);
>>     printf(buf);
>>   return Qnil;
>> }
>> void Init_hello(){
>> rb_define_global_function("tests",tests,0);
>> }
>
>
>
> Um, you realize you're writing right into a random memory location? If
> you're not an experienced C programmer, you may want to reconsider your
> project to write a Ruby extension.
I am not an experienced C programmer,and just learn to write a Ruby
extension with c.
C2d178e0b16712c96db70c56095466a9?d=identicon&s=25 Haoqi Haoqi (haoqi)
on 2007-05-01 09:32
Maik Schmidt wrote:
> In article <9d71df8a63af2a669698ea94c2a5111c@ruby-forum.com> Haoqi
> Haoqi <axgle@126.com> wrote:
>
>>     sprintf(buf,"%s after %s",s1,s2);
>>     printf(buf);
>>   return Qnil;
>> }
>> void Init_hello(){
>>  rb_define_global_function("tests",tests,0);
>> }
>>
> I guess your problem is that buf is an uninitialized pointer pointing to
> an
> arbitrary memory location. If you declare it like this
> char buf[200]
> your program should work.
Oh,Yes,Thank you very much!~

C:\ext\1>ruby client.rb
a  after  b
^_^
B8cfd5ec0f88bf5b5f2eedda7d1a0746?d=identicon&s=25 unknown (Guest)
on 2007-05-01 09:37
(Received via mailing list)
In message <9d71df8a63af2a669698ea94c2a5111c@ruby-forum.com>, Haoqi
Haoqi writes:
>here is my simple test:
>where is my mistake??

>#include "ruby.h"
>#include "stdio.h"
>static VALUE
>tests(){
>   char *s1="a ";
>    char *s2=" b";
>  char *buf;
>    sprintf(buf,"%s after %s",s1,s2);

Right about here.

"buf" is a pointer.

Where, exactly, do you think it points?  Have you told the compiler to
point
it AT anything?

-s
B8cfd5ec0f88bf5b5f2eedda7d1a0746?d=identicon&s=25 unknown (Guest)
on 2007-05-01 09:40
(Received via mailing list)
In message <f025162e5afe1e9c3304d79581fc4f24@ruby-forum.com>, Haoqi
Haoqi writes:
>I am not an experienced C programmer,and just learn to write a Ruby
>extension with c.

Don't.

I consider myself a reasonably experienced C programmer, and I'd still
want to be sure I was brushed up and current before trying to write an
extension plugin.  Even in a well-planned environment, writing plugins
is on the heavy-duty end.

Seriously, just don't.  Hire someone.  Write it in pure Ruby.

Or... Budget 3-6 months to learn C well enough to do it competently.

-s
D5846a004fa29b8c5478bedf3dfd75c3?d=identicon&s=25 Adam Bozanich (Guest)
on 2007-05-01 09:51
(Received via mailing list)
On 5/1/07, Haoqi Haoqi <axgle@126.com> wrote:
>   char *buf;
>     sprintf(buf,"%s after %s",s1,s2);
>     printf(buf);
>   return Qnil;
> }
> void Init_hello(){
> rb_define_global_function("tests",tests,0);
> }


You have to be very careful when working with c.  The code above has a
couple of classic security vulnerabilities.

Since you are not dealing with user-controlled buffers, it's not that
big of
a deal, but here's a couple tips:

1) in general, don't use sprintf.  use snprintf().

char * s1 = "a ";
char * s2 = "b ";
char buf[1024];
snprintf(buf,sizeof(buf),"%s after %s",s1,s2);

2) always use a string literal as the format string to functions which
take
them ( printf() , snprintf() , etc... ):

 printf("%s",buf);

If you're interested in what can be done if these errors are made, check
out
these papers:

http://doc.bughunter.net/buffer-overflow/smash-stack.html
http://doc.bughunter.net/format-string/exploit-fs.html

-Adam
Ca83f98999501811efea060045127438?d=identicon&s=25 Brian Broom (Guest)
on 2007-05-01 16:30
(Received via mailing list)
> You have to be very careful when working with c.  The code above has a
> couple of classic security vulnerabilities.
>
>
Have there been any studies on the security implications of using Ruby?
Ca83f98999501811efea060045127438?d=identicon&s=25 Brian Broom (Guest)
on 2007-05-01 16:31
(Received via mailing list)
On 5/1/07, Peter Seebach <seebs@seebs.net> wrote:
> extension plugin.  Even in a well-planned environment, writing plugins
> is on the heavy-duty end.
>
> Seriously, just don't.  Hire someone.  Write it in pure Ruby.
>
> Or... Budget 3-6 months to learn C well enough to do it competently.
>
> -s
>
>
>
I'll disagree somewhat here.  There are things C does much faster than
Ruby
does.  Application performance is not everything, but there are cases
where
moving code to a C extension makes the difference between being able to
use
ruby and not being able to.

Writing an extension in C is, to me, much easier than learning C by
itself,
because there are a bunch of things that you can let ruby handle that
are
just a pain in C (mainly I/O things).
87e41d0d468ad56a3b07d9a6482fd6d5?d=identicon&s=25 Hemant Kumar (gnufied)
on 2007-05-01 18:13
(Received via mailing list)
On 5/1/07, Adam Bozanich <adam.boz@gmail.com> wrote:
> >     char *s2=" b";
> You have to be very careful when working with c.  The code above has a
> snprintf(buf,sizeof(buf),"%s after %s",s1,s2);
> http://doc.bughunter.net/format-string/exploit-fs.html
Thanks for the links Adam.
This topic is locked and can not be replied to.