Need help with stack smash

[Orion Poplawski]

On 08/27/2009 01:59 PM, Orion Poplawski wrote:
> Thanks, but my trouble though is what to watch. My thought was to watch
> the location of the guard variable that the stack protector code checks,
> but I have no idea how to find that out.
>

By looking at the disassembly of the funtcion, I'm able to see the stack 
check code at the end:

0x08058f39 <an_check_lab_desc+553>:     mov    -0x1c(%ebp),%eax
0x08058f3c <an_check_lab_desc+556>:     xor    %gs:0x14,%eax
0x08058f43 <an_check_lab_desc+563>:     jne    0x8058f50 
<an_check_lab_desc+576>

so it's watching %ebp - 0x1c (it appears).

(gdb) print $ebp - 0x1c
$1 = (PTR TO -> ( void )) 0xbfffcb5c
(gdb) watch *(0xbfffcb5c)
Hardware watchpoint 2: *(0xbfffcb5c)
(gdb) c
Continuing.
Hardware watchpoint 2: *(0xbfffcb5c)

Old value = -987698962
New value = -987699200
DFANIgetann (filename=0x8125d10 "tdfanF.hdf", tag=<value optimized out>,
     ref=<value optimized out>, ann=0xbfffcb3e "Object label #1: sds 
       ",
     maxlen=31, type=0) at dfan.c:1103
1103      Lastref = annref;   /* remember ref last accessed */
Current language:  auto; currently c
(gdb) list
1098          HCLOSE_GOTO_ERROR(file_id,DFE_READERROR,FAIL);
1099        }
1100      if (type == DFAN_LABEL)
1101        ann[annlen] = '\0';     /* terminate string properly */
1102
1103      Lastref = annref;   /* remember ref last accessed */
(gdb) print &ann[annlen]
$7 = (uint8 *) 0xbfffcb5c ""

So that's where I get clobbered.  Need to figure out why, but at least I 
solved the watch location question.

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  orion at cora.nwra.com
Boulder, CO 80301              http://www.cora.nwra.com