Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Function pointer declaration syntax confusion [duplicate]

Tags:

c

syntax

pointers

function-pointers

I have read and googled about the right-left rule to decode function pointers.

For ex: 

int (*(*fun_one)(char *,double))[9][20];

is: fun_one is pointer to function expecting (char *,double) and returning pointer to array (size 9) of array (size 20) of int.

So what is 

const char code[] = "\x31\xc0";

int main(){
     ((void(*)( ))code)();
}

"code is ?? returning a pointer to function returning void...???? what about after that the outside ()"

I am utterly confused with this one.

like image 347
Haswell Avatar asked Mar 15 '23 05:03

Haswell

2 Answers

const char code[] = "\x31\xc0";

int main(){
     ((void(*)( ))code)();
}

Here's how it works. The code variable will decay to the address of the first element (\x31).

That address will then be cast to the address of a function taking indeterminate arguments, and returning nothing.

That covers the entire ((void(*)( ))code) bit and, up to there, you've basically constructed a function pointer pointing to your string.

The () then simply calls the function that you're pointing to.

If that's an Intel CPU you're targeting, 31 c0 disassembles to xor eax, eax but I'm not expecting much joy when it runs off the end of the buffer, it's likely to crash spectacularly. The \x00 marking the end of the string is the first bit of an add instruction but, as to what comes after that, there's no guarantee.

Adding a ret instruction to the end of the string may make it safer but you may have to examine the generated assembler code for the call itself to figure out which ret should be used.

like image 140
paxdiablo Avatar answered Mar 23 '23 10:03

paxdiablo

That's not a function pointer declaration, it's a function pointer cast and a call.

Glossing over the cast for a moment, we have ((sometype)code)() — that is, cast code to some type (obviously a function pointer) and then call it.

So what's the type inside the cast? It's void (*)(). In other words, a pointer to a function that returns void and takes nothing in particular (it actually can take arguments, thanks to C legacy, but in this case it doesn't). Nothing in, nothing out.

After the * is where the name would go if this was a declaration, but since it's a cast, the type stands alone and there's no name at all.

like image 43
hobbs Avatar answered Mar 23 '23 08:03

hobbs
Sign in to Comment

Related questions

Client Server multiple connections in C
Promotion when evaluating constant integer expressions in preprocessor directives - GCC
How to interface a NumPy complex array with C function using ctypes?
Can we omit the data types of function arguments?
How to call recursion in different way?
In Python, how can I translate *(1+(int*)&x)?
Tcl extension: Understanding and using ClientData
Openssl: certificate verification fails when CApath argument is used in SSL_CTX_load_verify_locations API
Structures in C with "no member named..." error
C -- Modify const through aliased non-const pointer
How do you switch() on an enum that has multiple similar values in C/C++?
Expected to see "initializer-string for array of chars is too long" warning [duplicate]
Numpy/CAPI error with import_array() when compiling multiple modules
Do modern terminals generally render all utf-8 characters correctly?
Duplicate const error with C++ wrapping C code
It's really strange that sometimes gcc can't find reference of sqrt but sometimes gcc can
C/C++ unions and undefined behaviour
Why does ucontext have such high overhead?
Why does NULL terminating a sha256 hash crash when using dynamic memory but not static memory?
Generating all divisors of a number given its prime factorization

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!