Home/ Questions/Q 7181299
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T17:31:43+00:00

I’m trying to use the memory allocated beyond the size of a struct to

  • 0

I’m trying to use the memory allocated beyond the size of a struct to mimic a ‘payload’
and to allow that payload contain a pointer to another struct. Can someone tell me if this is possible or if what i’m trying to do is not feasible.

#include<stdio.h>
#include<stdlib.h>
#include<string.h>

#define ptrsize sizeof(char*)

typedef struct s{
  int i;
  short j;
  long k;
}S;

S *salloc(int sz,int i,short j,long k){
  S *m=malloc(sizeof(S)+sz);
  m->i=i;m->j=j;m->k=k;
  return m;
}

char *goToData(S *m){
  char* dataloc=(char*)m+sizeof(S);
  return dataloc;
}

int main(int argc,char **argv){

  char a[]={"ABCDEFGHIJKLMNOPQRSTUVWXYZ"};
  S *mys=salloc(26,2,3,100);              // struct * to size 26+sizeof(S) & set struct vars
  char *mydp=goToData(mys);               // get the address of the payload 
  memcpy(mydp,a,sizeof(a));               // copy a into the payload

  S *mysc=salloc(ptrsize,1,2,3);          // allocate a container struct

  char *datapw=goToData(mysc);            // go to the first byte of the payload of mysc
  (*(S**)datapw)=mys;                     // want to point at mys -- is this possible?

  printf("%d\n",ptrsize);
  printf("addr mys              %x\n",(unsigned int)mys);
  printf("addr mysc             %x\n",(unsigned int)mysc);
  printf("addr mysc | *datapw   %x\n",(unsigned int)*datapw);  // from here would like to be indirectly reference mys

  return 0;

}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The goToData() function seems to be sound. The memory allocation is sound, though you don’t record how big the space is that was allocated after the structure.

    There’s a buffer overflow here:

    char a[] = {"ABCDEFGHIJKLMNOPQRSTUVWXYZ"};
S *mys = salloc(26,2,3,100);              // struct * to size 26+sizeof(S) & set struct vars
char *mydp = goToData(mys);               // get the address of the payload 
memcpy(mydp, a, sizeof(a));               // copy a into the payload

    You allocated 26 bytes but you’re copying 27 (sizeof(a) == 27 because sizeof() counts the NUL '\0' at the end). That is a recipe for disaster. Don’t use elegant variation in C; use consistency. Either use 26 in both places or sizeof(a), but not a mixture.


    If there’s a problem, it is with the line:

    (*(S**)datapw)=mys;                     // want to point at mys -- is this possible?

    I’m not even sure I understand what you’re trying to do here, but it doesn’t look good at all.

    Although datapw is aligned for use as an S *, you haven’t allocated enough space for that to be used. I’m not clear that you should be converting it to a S** before dereferencing.

    If you are trying to make the space after the structure pointed at by mysc contain a pointer to the structure pointed at by mys, then you had better have a really good reason for not including the pointer in the structure. A really, really good reason.

    However, that code is accurate, despite my strong misgivings. But it is extremely opaque.

    I think you should get the result you want with:

    *((S **)datapw) = mys;

    I hate to think what the strict-aliasing implications are, though you might be OK since there is an exemption of some sort for char *.

    So, revisit that statement and work out what you are trying to do – because what you’ve written doesn’t do it, whatever it was.

    printf("addr mysc | *datapw   %x\n",(unsigned int)*datapw);

    This has some issues. Since datapw is a char *, *datapw is going to be a character. Probably not what you had in mind. (unsigned int)*(S **) is what you need, I think.

    The rest is OK-ish, though on a 64-bit system, addresses are too big for %x. You’ll get away with on a 32-bit system, but you should use either %p with (void *) casts, or "%" PRIXPTR from <inttypes.h> with a (uintptr_t) cast.

    I ended up with:

    #include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <inttypes.h>

#define ptrsize sizeof(char*)

typedef struct s
{
    int   i;
    short j;
    long  k;
} S;

static S *salloc(int sz, int i, short j, long k)
{
    S *m = malloc(sizeof(S) + sz);
    m->i = i;
    m->j = j;
    m->k = k;
    return m;
}

static char *goToData(S *m)
{
    char *dataloc = (char*)m + sizeof(S);
    return dataloc;
}

int main(void)
{
    char a[] = {"ABCDEFGHIJKLMNOPQRSTUVWXYZ"};
    S *mys = salloc(sizeof(a), 2, 3, 100);     // struct * to size 26+sizeof(S) & set struct vars
    char *mydp = goToData(mys);                // get the address of the payload 
    memcpy(mydp, a, sizeof(a));                // copy a into the payload
    S *mysc = salloc(ptrsize, 1, 2, 3);        // allocate a container struct
    char *datapw  = goToData(mysc);            // go to the first byte of the payload of mysc
    *((S **)datapw) = mys;                     // want to point at mys -- is this possible?

    printf("%zu\n", ptrsize);
    printf("addr mys              %" PRIXPTR "\n", (uintptr_t)mys);
    printf("addr mysc             %" PRIXPTR "\n", (uintptr_t)mysc);
    printf("addr mysc | *datapw   %" PRIXPTR "\n", (uintptr_t)*(S **)datapw);

    return 0;
}

    (I compile with -Wmissing-prototypes; the static in front of the functions prevents the compiler warning me about these functions. Since you aren’t using the arguments to main(), I replaced argc and argv with void for the same reason – to avoid compiler warnings.)

    When I ran it under valgrind on a Mac (MacOS X 10.7.2, GCC 4.2.1, Valgrind 3.7.0), I got a clean run with the data output:

    8
addr mys              100005120
addr mysc             100005190
addr mysc | *datapw   100005120
    • 0