Question

首先是

代码

DWORD WINAPI tcp_t(LPVOID lpParam)
{
    SOCKET tcp_client_s = (SOCKET)lpParam;
    struct sockaddr_in tcp_client;
    int tcp_client_len = sizeof(tcp_client), length;
    char req[4096], resp[4096];

    getpeername(tcp_client_s, (struct sockaddr *)&tcp_client, &tcp_client_len);

    cli_log(PROTO_TCP, LOG_SYS, "(%s:%d) TCP thread spawned\n", inet_ntoa(tcp_client.sin_addr), ntohs(tcp_client.sin_port));

    length = get_req_tcp(tcp_client_s, req, tcp_client);

    if(strci(req, "GET /syachi2ds/web/", 0))
    {
        while(!strstr(req, "Connection: close\r\n\r\n"))
            length += get_req_tcp(tcp_client_s, req + length, tcp_client);

        length = check_req(req, resp);

        if(length > 0)
            send_resp_tcp(tcp_client_s, resp, length, tcp_client);
    }

    closesocket(tcp_client_s);
    cli_log(PROTO_TCP, LOG_SYS, "(%s:%d) socket closed, closing thread\n", inet_ntoa(tcp_client.sin_addr), ntohs(tcp_client.sin_port));
    ExitThread(0);
}

int get_req_tcp(SOCKET in_s, char *buf, struct sockaddr_in in)
{
    int retval;

    cli_log(PROTO_TCP, LOG_COMM, "(%s:%d) waiting for incoming request...\n", inet_ntoa(in.sin_addr), ntohs(in.sin_port));
    if ( (retval = recv(in_s, buf, 4096, 0)) == SOCKET_ERROR)
        cli_log(PROTO_TCP, LOG_ERROR, "(%d) recv() failed\n", WSAGetLastError());
    cli_log(PROTO_TCP, LOG_COMM, "(%s:%d) data received\n", inet_ntoa(in.sin_addr), ntohs(in.sin_port));
    return retval;
}

这是我正在编写的一个更大的程序的一部分，它执行某种服务器仿真。它适用于TCP流thar不会被拆分成多个数据包，否则它会在while循环中调用的第一个后续recv()上给出winsock错误10014。

PS：strci()是自定义不区分大小写的strstr()

PS2：我知道没有检查req数组上的缓冲区溢出。

Answer 1

10014是WSAEFAULT，这意味着recv()检测到“buf参数未完全包含在用户地址空间的有效部分中。”。这是有道理的，因为您的代码中存在缓冲区溢出错误。您已在req缓冲区的调用堆栈上分配了4096个字节。每次调用get_req_tcp()时，即使req实际上没有4096字节可供读取，也要告诉它读取4096字节。

每次循环运行时，你都告诉recv()将字节读入缓冲区中的新起始位置，但是你没有告诉recv()该位置后剩余多少字节，所以循环溢出缓冲区并最终访问不在调用堆栈上的内存地址，导致WSAEFAULT错误。

您需要向get_req_tcp()添加一个额外的参数，告诉它要读取多少字节。

试试这个：

DWORD WINAPI tcp_t(LPVOID lpParam)
{
    SOCKET tcp_client_s = (SOCKET)lpParam;
    struct sockaddr_in tcp_client;
    int tcp_client_len = sizeof(tcp_client), length;
    char req[4096], resp[4096];

    getpeername(tcp_client_s, (struct sockaddr *)&tcp_client, &tcp_client_len);

    cli_log(PROTO_TCP, LOG_SYS, "(%s:%d) TCP thread spawned\n", inet_ntoa(tcp_client.sin_addr), ntohs(tcp_client.sin_port));

    length = get_req_tcp(tcp_client_s, req, sizeof(req), tcp_client);
    if (length > 0)
    {
        while (!strstr(req, "\r\n\r\n"))
        {
            retval = get_req_tcp(tcp_client_s, req + length, sizeof(req) - length, tcp_client);
            if (retval < 1)
            {
                length = 0;
                break;
            }
            length += retval;
        }

        if ((length > 0) && (strci(req, "GET /syachi2ds/web/", 0)))
        {
            length = check_req(req, resp);
            if (length > 0)
                send_resp_tcp(tcp_client_s, resp, length, tcp_client);
        }
    }

    closesocket(tcp_client_s);
    cli_log(PROTO_TCP, LOG_SYS, "(%s:%d) socket closed, closing thread\n", inet_ntoa(tcp_client.sin_addr), ntohs(tcp_client.sin_port));

    return 0;
}

int get_req_tcp(SOCKET in_s, char *buf, int buflen, struct sockaddr_in in)
{
    cli_log(PROTO_TCP, LOG_COMM, "(%s:%d) waiting for incoming request...\n", inet_ntoa(in.sin_addr), ntohs(in.sin_port));

    if ((!buf) || (buflen < 1))
    {
        cli_log(PROTO_TCP, LOG_ERROR, "invalid buffer passed for recv()\n");
        return -1;
    }

    int retval = recv(in_s, buf, buflen, 0);

    if (retval == SOCKET_ERROR)
    {
        cli_log(PROTO_TCP, LOG_ERROR, "(%d) recv() failed\n", WSAGetLastError());
        return -1;
    }

    if (retval == 0)
    {
        cli_log(PROTO_TCP, LOG_ERROR, "client disconnected\n");
        return 0;
    }

    cli_log(PROTO_TCP, LOG_COMM, "(%s:%d) %d bytes received\n", retval, inet_ntoa(in.sin_addr), ntohs(in.sin_port));

    return retval;
}

拆分TCP流上的Winsock2错误10014

1 个答案: