Help, strange untraceable crash

[tangjun]

My code crashed in a interface thread after a function return, this did not happened everytime.

I got the error meesage first:

The instruction at "0x004611da" referenced memory at "0x00000027". The memory could not be "written".

Click on OK to terminate the program
Click on CANCEL to debug the program

then when choose to debug, I got:

Unhandled exception at 0x004611da in Path.exe: 0x0000005:
Access violation writing location 0x00000027.

All the local variables showed: error, can not be evaluated
All the Auto variables showed: Bad pointer
Call stack only show the calling function

Did anybody have the same experience?

[Valen]

I've encountered crashes from programs I've compiled using Visual C++ .NET Pro. It seems programs built using it will change the address of some pointers and the value of variables in some instances. When this has happened I've been able to take my code and rebuild it using a Borland compiler and fix the problem. If this is not your case the only other option you have is to step through your code until you find the problem.

[filthy_mcnasty]

post some code of what's happening right before that happens

[amolpg]

If you can post some code it will be great, but atleast give us some more details like:

What is your code trying to do?
Are you running it in debug mode or release mode?
Does this happen after any particular action or event?

Amol

[tangjun]

ok, here is the function, it's a little long, that's why I did not post it first.

The crash place is right after the last line, "return rc;", it looks like after this function finish up and return to its previous stack, it lost everything include its return address.

the lpBuf is allocated either stack or heap, both crash in release mode, not every time I execute the code.


int CSslSocket::Receive(void* lpBuf, int nBufLen, int nFlags)
{
int rc = 0;
SecPkgContext_StreamSizes Sizes;
SECURITY_STATUS scRet;
DWORD cbIoBufferLength;
DWORD cbData;
SecBufferDesc Message;
SecBuffer * Buffers = new SecBuffer[4];
SecBuffer * pDataBuffer;
SecBuffer * pExtraBuffer;
SecBuffer ExtraBuffer;

BYTE *pDataBuf = NULL;
DWORD dwDataLn = 0;
DWORD dwBufDataLn = 0;
BOOL bCont = TRUE;

BYTE * RawBuffer = NULL;
DWORD RawBufferLn = 0;

if (m_bConInit) {
// if there are message left in the solved buffer
if (m_dwReceiveBuf) {
AfxMessageBox("receive buffer allocated");
if ((DWORD)nBufLen < m_dwReceiveBuf) {
rc = nBufLen;
CopyMemory(lpBuf,m_pbReceiveBuf,rc);
MoveMemory(m_pbReceiveBuf,m_pbReceiveBuf+rc,m_
dwReceiveBuf-rc);
m_dwReceiveBuf -= rc;
m_fMore = true;
} else {
rc = m_dwReceiveBuf;
CopyMemory(lpBuf,m_pbReceiveBuf,rc);
delete [] m_pbReceiveBuf;
m_pbReceiveBuf = NULL;
m_dwReceiveBuf = 0;
m_fMore = false;
}
} else {
// if no more solved message in the buffer
do { // actually will not loop
scRet = m_SecurityFunc.QueryContextAttributes(&m_hContext,SECPKG_ATTR_STREAM_SIZES,&Sizes);
if(scRet != SEC_E_OK) {
SetLastError(scRet);
AfxMessageBox("secrity function fail");
break;
}

cbIoBufferLength = Sizes.cbHeader + Sizes.cbMaximumMessage + Sizes.cbTrailer;

RawBuffer = new BYTE[cbIoBufferLength]; // buffer for raw data
pDataBuf = new BYTE[cbIoBufferLength]; // buffer for solved data
dwBufDataLn = cbIoBufferLength; // assign length of solved data to be the same

if ((RawBuffer == NULL) || (pDataBuf == NULL)) {
SetLastError(ERROR_OUTOFMEMORY);
AfxMessageBox("out of space");
break;
}

// start receive loop
bool firstime = true;
do {
if(firstime || scRet == SEC_E_INCOMPLETE_MESSAGE) {
if(cbIoBufferLength==RawBufferLn) {
AfxMessageBox("buffer full");
return 0;
}
cbData = CSock::Receive(RawBuffer+RawBufferLn, cbIoBufferLength-RawBufferLn);
firstime = false;

if(cbData == SOCKET_ERROR) {
SetLastError(WSAGetLastError());
AfxMessageBox("CSock receive fail");
break;
} else if (cbData == 0) {
if(RawBufferLn) {
TRACE(_T("**** Server unexpectedly disconnected\n"));
scRet = SEC_E_INTERNAL_ERROR;
AfxMessageBox("Server unexpectedly disconnected");
break;
} else {
AfxMessageBox("Unknown error");
break;
}
} else {
RawBufferLn += cbData;
}

if(RawBufferLn>cbIoBufferLength) {
AfxMessageBox("out of bounce");
return 0;
}

DUMP(_T("Received cipher text"), RawBuffer, cbData);
}

Buffers[0].pvBuffer = RawBuffer;
Buffers[0].cbBuffer = RawBufferLn;
Buffers[0].BufferType = SECBUFFER_DATA;

Buffers[1].BufferType = SECBUFFER_EMPTY;
Buffers[2].BufferType = SECBUFFER_EMPTY;
Buffers[3].BufferType = SECBUFFER_EMPTY;

Message.ulVersion = SECBUFFER_VERSION;
Message.cBuffers = 4;
Message.pBuffers = Buffers;

scRet = m_SecurityFunc.DecryptMessage(&m_hContext,&Message,0,NULL);

if (scRet == SEC_E_INCOMPLETE_MESSAGE) {
AfxMessageBox("incomplete message");
continue;
}
if (scRet == SEC_I_CONTEXT_EXPIRED) {
SetLastError(scRet);
AfxMessageBox("context expired");
break;
}
if (scRet != SEC_E_OK && scRet != SEC_I_RENEGOTIATE && scRet != SEC_I_CONTEXT_EXPIRED) {
SetLastError(scRet);
AfxMessageBox("unable to decrypt");
break;
}

pDataBuffer = NULL;
pExtraBuffer = NULL;
for (int i = 1; i < 4; i++) {
if (pDataBuffer == NULL && Buffers[i].BufferType == SECBUFFER_DATA) {
pDataBuffer = &Buffers[i];
}
if (pExtraBuffer == NULL && Buffers[i].BufferType == SECBUFFER_EXTRA) {
pExtraBuffer = &Buffers[i];
}
}

if (pDataBuffer) {
DUMP(_T("Plain text received"),(BYTE *)(pDataBuffer->pvBuffer),pDataBuffer->cbBuffer);
if ((dwDataLn + (pDataBuffer->cbBuffer)) > dwBufDataLn) {
// if solved data so far larger than its buffer size
AfxMessageBox("sloved data larger than its buffer size");
BYTE *bNewDataBuf = new BYTE[dwBufDataLn+(pDataBuffer->cbBuffer)];
CopyMemory(bNewDataBuf,pDataBuf,dwDataLn);
delete [] pDataBuf;
pDataBuf = bNewDataBuf;
dwBufDataLn = dwBufDataLn+(pDataBuffer->cbBuffer);
}
CopyMemory(pDataBuf+dwDataLn, pDataBuffer->pvBuffer, pDataBuffer->cbBuffer);
dwDataLn += pDataBuffer->cbBuffer;
if(dwDataLn>cbIoBufferLength) {
AfxMessageBox("out of bounce");
return 0;
}
}

if (pExtraBuffer) {
MoveMemory(RawBuffer, pExtraBuffer->pvBuffer, pExtraBuffer->cbBuffer);
RawBufferLn = pExtraBuffer->cbBuffer;
continue;
} else {
RawBufferLn = 0;
bCont = FALSE;
}

if (scRet == SEC_I_RENEGOTIATE)
{
AfxMessageBox("renegociation");
scRet = ClientHandshakeLoop(
&m_hCreds,
&m_hContext,
FALSE,
&ExtraBuffer);
if(scRet != SEC_E_OK) {
AfxMessageBox("renegociation failed");
break;
}

if(ExtraBuffer.pvBuffer) {
MoveMemory(RawBuffer, ExtraBuffer.pvBuffer, ExtraBuffer.cbBuffer);
RawBufferLn = ExtraBuffer.cbBuffer;
}

//if (ExtraBuffer.pvBuffer) delete [] ExtraBuffer.pvBuffer;
}
} while (bCont); // end of receive loop

} while(0);

if (dwDataLn) // if there is message solved
{
if (dwDataLn > (DWORD)nBufLen) // if message larger than buffer size
{
m_dwReceiveBuf = dwDataLn - ((DWORD)(nBufLen));
m_pbReceiveBuf = new BYTE[m_dwReceiveBuf];

CopyMemory(lpBuf,pDataBuf,nBufLen);
rc = nBufLen;

CopyMemory(m_pbReceiveBuf,pDataBuf+nBufLen,m_
dwReceiveBuf);
m_fMore = true;
}
else // if message smaller than buffer size
{
CopyMemory(lpBuf,pDataBuf,dwDataLn);
rc = dwDataLn;
m_fMore = false;
}
}

if (pDataBuf) delete [] pDataBuf;
if (RawBuffer) delete [] RawBuffer;
} // end of if no solved message in buffer
} else // if not m_bConInit
{
if (m_bAllowPlainText) rc = CSock::Receive(lpBuf, nBufLen, nFlags);
}

if(Buffers) delete [] Buffers;

return rc;
}

[NigelQ]

At the top of your routine, try changing these two line:

Code:

SecBuffer * pDataBuffer;
SecBuffer * pExtraBuffer;

to:

Code:

SecBuffer * pDataBuffer = NULL;
SecBuffer * pExtraBuffer = NULL;

...and see if that makes any difference.

Both pointers are pointing to random memory locations at the beginning of the routine, and may be getting inadvertently freed,

Hope this helps,

- Nigel

[amolpg]

Yes it will crash in release build if pointers are not initialized properly.
Also make sure you are allocating enough memory for lpBuf, this is main candidate as you are getting memory could not be written!!

Amol