Wow!!! learned a lot!!!. Thanks!!! -Mingliang On Wed, Mar 25, 2009 at 9:17 AM, Lorenzo Beretta <lory.fulgi@xxxxxxxxxxx> wrote: > 明亮 ha scritto: >> >> Hi guys, >> >> This is my first email in this list, any help is much appreciated. >> As I know, it's not allowed to pass a local variable to a function, >> because the stack where local variable resides will be reused by other >> functions. >> eg: >> 1 #include <stdio.h> >> 2 >> 3 char *fetch(); >> 4 >> 5 int main(int argc, char *argv[]){ >> 6 char *string; >> 7 string = fetch(); >> 8 printf("%s\n", string); >> 9 exit(0); >> 10 } >> 11 >> 12 char *fetch(){ >> 13 char string[10]; >> 14 scanf("%s", string); >> 15 return string; >> 16 } >> >> When the application is executed, after input "a", it will produce >> unknown characters, like "8Šè¿ôÿO". Which is like what I expect >> >> However, if I change line 13 to: >> 13 char string[1024]; >> >> When I type "a", it echos "a", which is out of my expectation >> >> Why does it behave like this? >> >> Thanks in advance, >> longapple >> -- >> To unsubscribe from this list: send the line "unsubscribe >> linux-c-programming" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > > Try something like this > ------ > void p(int n){ > int onstack; > printf("%p\n", &onstack); > if(n>0) p(n-1); > } > > int main(){ > p(5); > return 0; > } > ------ > > It should (system dependant) print a sequence of decreasing hex numbers; > that's because each time you call a function on your computer, the local > stack grows downwards. > > When you scanf() into a character array, it writes into the first characters > of your array, that is string[0], then string[1], and so on: notice that the > address of string[1] is GREATER than the address of string[0]... > > Summing up there are two cases (assume that X stands for "any value"): > > 1) string[10] > ==> { X, X, X, X, X, X, X, X, '\0', 'a' } > 2) string[1024] > ==> { X, X, X, (long sequence of garbage)..., '\0', a' } > > When you call printf(), the printf function overwrites some bytes for its > own stack variables: if it takes more than 10 bytes (eg 42), the small array > will be completely overwritten, while with the big array it will only > overwrite string[1023...980] (which was garbage anyway!), leaving > string[0...979] intact. > > I hope that was helpful; try gooling "buffer overflow" for more info > > > lb > > -- > To unsubscribe from this list: send the line "unsubscribe > linux-c-programming" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html