How to fix "free(): invalid next size (normal) | Canceled (memory dump written)" in C

Question

I am writing a program which actually send raw Packets and Sniffing the Network. I have the Program to build, to send the Packets and to Sniff the Network. Each of them work (mostly) great. If i try to implement a main function which calls first the Function to build and send the Packet and after that the function which sniff, I get a free(): Invalid next size (normal) | Cancelled (memory dump written) Error.

I tried to find the Problem by my own. I called the startSniffer() - Function in different places. Actually in send_tcp_packet befor building the tcp Packet (build_tcp_packet), and after that too. If I call startSniffer() Function befor build_tcp_packet it works. So I call the startSniffer() - Function in build_tcp_packet befor memcpy(...) and it works. So I assume that the error is because of memcpy(...). I removed memcpy(...) and the Programm works well. But actually the Programm needs memcpy(...) to set the Payload in TCP-Header.

So did you have any Idea and helps for my Code???

void startBuilding() {

    unsigned char *data;

    unsigned int packet_size;
    unsigned int data_size;

    src_addr.sin_family = AF_INET;
    inet_aton(srcHost, &src_addr.sin_addr);

    dst_addr.sin_family = AF_INET;
    inet_aton(destHost, &dst_addr.sin_addr);

    data = (char*) malloc(strlen(sendingData) + 1);

    strcpy((char *) data, sendingData);

    data_size = strlen(sendingData);

    switch (ipProto) {
    case IPPROTO_TCP:

        printf("[+] Send TCP packet...\n");

        src_addr.sin_port = htons(tcpSourcePort);
        dst_addr.sin_port = htons(tcpDestPort);

        if (open_RawSocket(ipProto)) {
            send_tcp_packet(raw_socket, src_addr, dst_addr, data, data_size);

        }

}



unsigned int build_tcp_packet(struct sockaddr_in src_addr,
    struct sockaddr_in dst_addr, unsigned char *tcp_packet,
    unsigned char *data, unsigned int data_size) {

    printf("[+] Build TCP packet...\n\n");

    unsigned int length;
    struct tcpheader *tcp;
    length = TCPHDRSIZE + data_size;
    tcp = (struct tcpheader *) tcp_packet;

    tcp->th_sport = src_addr.sin_port;
    tcp->th_dport = dst_addr.sin_port;

    tcp->th_seq = htonl(tcpSeqNum);
    tcp->th_acknum = tcpAcknum;

    tcp->th_reserved = tcpReserved;
    tcp->th_off = tcpOffSet;

    tcp->th_fin = tcpFinFlag;
    tcp->th_syn = tcpSynFlag;
    tcp->th_rst = tcpRstFlag;
    tcp->th_psh = tcpPshFlag;
    tcp->th_ack = tcpAckFlag;
    tcp->th_urg = tcpUrgFlag;
    tcp->th_cwr = tcpCwrFlag;
    tcp->th_ece = tcpEceFlag;

    tcp->th_win = htons(tcpWin);

    tcp->th_urp = tcpUrp;

    tcp->th_sum = tcpSum;

//      startSniffer(); // If i start startSniffer here, it works fine.
    memcpy(tcp_packet + TCPHDRSIZE, data, data_size);
//      startSniffer(); //If i start sartSniffer here, it did not work, and i get the error. 

    return length;
 }


unsigned int build_ip_packet(struct in_addr src_addr, struct in_addr dst_addr,
    uint8_t protocol, unsigned char *ip_packet, unsigned char *data,
    unsigned int data_size) {

    printf("[+] Build IP packet...\n\n");

    struct ipheader *ip;
    ip = (struct ipheader*) ip_packet;

    ip->ip_v = ipv;
    ip->ip_hl = iphl;

    ip->ip_tos = iptype;
    ip->ip_id = htons(ipId);

    if (calculateIpLenInBuildPacket) {
        ip->ip_len = htons(iphl * 4 + data_size);
    } else {
        ip->ip_len = htons(ipLen);
    }

    ip->ip_off = ipOffset;

    ip->ip_moreFrag = ipMoreFragmentFlag;
    ip->ip_doNotFrag = ipDoNotFragmentFlag;
    ip->ip_reserved = ipReserved;
    ip->ip_frag_offset1 = ipFragOffset;

    ip->ip_ttl = ipTTL;
    ip->ip_p = ipProto;

    ip->ip_sum = ipSum;
    ip->iph_sourceip = src_addr.s_addr;
    ip->iph_destip = dst_addr.s_addr;

    return sizeof(struct ipheader) + data_size;
}


int main(int argc, char **argv) {

    startBuilding();

    startSniffer();

}

---

void send_tcp_packet(int raw_sock, struct sockaddr_in src_addr,
    struct sockaddr_in dst_addr, uint8_t *data, unsigned int data_size) {
    unsigned int packet_size;
    unsigned int ip_payload_size;
    unsigned char *packet;


    packet = (char*) malloc(strlen(data) + 1);
    memset(packet, 0, ETH_DATA_LEN);



    ip_payload_size = build_tcp_packet(src_addr, dst_addr,
        packet + sizeof(struct ipheader), data, data_size);

    packet_size = build_ip_packet(src_addr.sin_addr, dst_addr.sin_addr,
    IPPROTO_TCP, packet, packet + sizeof(struct ipheader), ip_payload_size);

    setOption_RawSocket(raw_sock);

    if (sendto(raw_sock, packet, packet_size, 0, (struct sockaddr *) &dst_addr,
        sizeof(dst_addr)) < 0) {
        perror("sendto");

        exit(1);
    } else {

        printf("Send! \n\n");


    }
    close(raw_sock);

}

---

Answer 1

This is dangerous:

packet = (char*) malloc(strlen(data) + 1);
memset(packet, 0, ETH_DATA_LEN);

It will corrupt the heap whenever ETH_DATA_LEN is larger than strlen(data) + 1, the heap corruption will not be immediately detected but may cause subsequent allocations or deallocations (free) to fail.

Suggest:

packet = calloc( ETH_DATA_LEN, 1 ) ;

You made a rash assumption that data is a null terminated string and should have used data_size to determine the length of data in any event, but since packet size is necessarily larger then just the data payload, both are incorrect.

You fail to free packet in this case, so also have a memory leak. Since ETH_DATA_LEN is a constant, there is no need to dynamically allocate in any event. Instead you might have:

char* packet[ETH_DATA_LEN] = {0} ;