What is a C0000005 crash?


 


In my blog about Dr. Watson I talked about product crashes. What is an example of a crash? How destructive is it?


 


Here’s a simple example. MyFunction takes a string parameter and calculates its length


 


MyFunction (char * StringParam) {


         


          int nlen;        // declare an integer variable


          nlen = strlen(StringParam);


          <more code>


 


}


 


 


Doesn’t look like there’s a bug does it?


 


But there’s a potential bug: the strlen function in the C Standard Library counts the bytes in the string before finding a zero (null) byte. If the string does not have a null byte, then the strlen function will be accessing memory beyond the string buffer looking for a null byte.


 


This is called a Buffer Overrun error. If the memory accessed beyond the string is not allocated to the process, then a C0000005 exception (Access Violation) will result. If this exception is unhandled by the process, then the ‘unhandled exception handler” of the OS will be invoked. This is typically Dr. Watson. (However, the memory may be legitimately accessed, but may be overwritten by a virus that takes advantage of a buffer overrun on a strcpy Standard Library function).


 


If you have Visual Studio installed, you can look at the file PlatformSDK\include\ntstatus.h to find some of the various kinds of exceptions:


 


// MessageId: STATUS_ACCESS_VIOLATION


//


// MessageText:


//


//  The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.


//


#define STATUS_ACCESS_VIOLATION          ((NTSTATUS)0xC0000005L)    // winnt


 


 


 


In the old days of Win3.11, there was no memory protection enforcement: Accessing any memory in the process address space was fair game.  strlen would just cruise merrily through the process memory, even through non-owned memory, until it found a null byte. Thus, old code may run fine on old OS’s, but when run on a new OS, it might crash.


 


The C Standard Library (also known as the runtime library) is not part of the C language, but it is assumed by all C development environments (particularly the linker) to be available. Microsoft’s versions have “MSVCRT” in their names. When the string functions were defined, the strings were assumed to be character arrays with a terminating null byte. This implies possible buffer overruns, as well as that no strings can have embedded nulls (like binary data).


 


The C++ language has just as much accessibility to the C Standard library, although string classes and objects can be used. Thus buffer overruns are still around. Most processes that run on your computer today are primarily written in C or C++.


 


Using managed code in .NET, a string is an object that has a length property. No null terminating byte is assumed.


 


What are the consequences of a crash? If it occurs in a User mode application, then that process is no longer running, but all other running processes on the machine are still valid. If it occurs in a kernel mode application, such as a device driver, all bets are off because the erroneous code had much higher access rights to the machine than a user mode program.


Except for video driver crashes, I haven’t rebooted my machines in years due to a crash.


 


Most of the security bulletins and Windows Updates are due to buffer overruns. If the standard library had been defined to pass in a maximum length parameter along with every string buffer, many of these security patches would never exist.

Comments (35)

  1. josh says:

    std::string doesn’t use a terminating nul, unless you’re converting it from/to a C string. But you can’t really pass std::strings between binaries compiled with different compilers, or even linked against different instances of the runtime library.

  2. John says:

    So, managed code in .NET will not crash easily?

  3. Manju Rachel George says:

    We got " C0000005 crash " error while doing an SNMP Walk for a device.We are looking for fixing it in our product.This document proved to be very vital.

  4. ashok says:

    what is solution for this crach.is it depends on the application progrme or on OS?.Because we got same access violation in STS of APG40.if we need i send core dump

  5. ashok says:

    what change we should make in the above code to remove the bug.

    solution for the bug

  6. It takes a lot of work to create the blog posts and code samples that I put in my blog, and I was curious…

  7. BClark says:

    We are on VFP9 SP1 and we seem to be getting this when I call The LEFT( function ie., LEFT(string,6).

    This has happened twice so far this week, in different locations in our code.  Once in form code, and once in report code.

    Does anyone have any further solution to this?

    Thanks in advance…

  8. Claude says:

    We are getting this error consistantly using reports created by fp2.5b for dos under vfp9 sp1. even after converting the reports to a windows version, sp1 still gets errors but i think there gone in the sp2 beta. havent proven this yet.

    i have also found that while running the older report files, the memory handles returned by sys(1011) keeps climbing till we get the dreaded c5 error.

    help!!!!

  9. Amit says:

    What cause it to crash at OS level

  10. # says:

    This is happening 90% of the time i’m afront the computer, help!!

  11. Lingarao says:

    Frequently, We are getting access voilation problem on Windows NT environment while using Oracle Forms .

     How to over come from this problem ?.

     Please help me.

  12. Sandeep Garg says:

    I am also facing this exception during inserting test cases in Rational Test Manager.

    Can you please help me how to come out of this crash and resolve the same….

  13. Sandeep Garg says:

    I am also facing this exception during inserting test cases in Rational Test Manager.

    Can you please help me how to come out of this crash and resolve the same….

  14. Bob says:

    How many of you with this error are using Core 2 duo and didn’t have this error before upgrading to this processor?

  15. Needhelp says:

    Can anyone help pls:

    The application, N:Program FilesFMFM.exe, generated an application error The error occurred on 07/24/2007 @ 16:11:05.529 The exception generated was c0000005 at address 2787A62C (ssdw3b32!DllUnregisterServer)

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

  16. Needhelp says:

    Can anyone help pls:

    I recently updated the server from old NT to Win2k3 server with new hardware and yes Intel Dual Cores.

    The application, N:Program FilesFMFM.exe, generated an application error The error occurred on 07/24/2007 @ 16:11:05.529 The exception generated was c0000005 at address 2787A62C (ssdw3b32!DllUnregisterServer)

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

  17. Stallion says:

    {quote}

    Wednesday, June 13, 2007 8:34 PM by Bob

    How many of you with this error are using Core 2 duo and didn’t have this error before upgrading to this processor?

    {/quote}

    I have a notebook using core 2 duo and I’m getting this error every time…. I’ fed up with this 🙁

    Does anyone know the solution on this problem????

  18. shark says:

    I have the same exception, Core 2 Duo.

    Exception was generated during GetModuleFileName calling, strange situation 🙁

  19. A customer asks: I read your article "Intentionally crash your program". I have some questions that I

  20. Kev says:

    I had the same problem after making a simple change to an Oracle Forms application.  The only way I could solve it was to revert back to a previous version of the source code then make the change again.  It’s been fine ever since then.

  21. Babak Bandpey says:

    Running on VM-Ware, blade servers + Core 2 duo,  Win 2003 Server. I’m receiving sporadic occurrences of this error and it has made me sleepless. Just to let you know.

    Sincerely

  22. Term1nUS says:

    Well, I’ve got this exception starting Skype. And what is ineteresting… When Skype started it want to get my ID, pass and then windows says @Exception c0000005

    Windows Server 2008 Datacenter Full

  23. Kevin Bentley says:

    I get this error when I deploy Oracle 10g via SMS and it seems to be related to the directory structure like mentioned above.  I wish I could find a solution because moving this entire package to a different directory (higher) will suck do to its size.  Anyone have any creative solutions?

  24. Mohd Farid says:

    My MS SQL 2000 crashed with c0000005 exception EVERYTIME defragging indexes is done. Arrrgghhhh…….

  25. Emerson Prado says:

    I get this error with Trendnet TEW-228PI (Realtek RTL8180 chipset) and its software (Wireless Configuration Utility), under Win2k SP4. However, the computer doesn’t stop. I only get a window saying the app made an illegal operation and will be closed. I found the error code in Event Viewer. It has something to do with the driver. I’ll search some more, as I’ve seen this board working in this OS before.

    Best regards

  26. Halo Modder says:

    I get this error when I modified the plasma pistol on Halo 1.04. I tried to prevent it from happening by putting the settings of the weapon back to its original. It doesnt work. Is there another way to reverse it otherthan creating a new user account?

  27. mcste says:

    I get this C00005 error everytime. My application is built by VFP6.0 SP5.

    so trouble…

    I don’t know why we still need to use VFP ?!

  28. JR says:

    The application, C:Program FilesPlayOnlineSquareEnixPlayOnlineViewerpol.exe, generated an application error The error occurred on 11/03/2008 @ 14:44:42.109 The exception generated was c0000005 at address 01AB9C5D (FFXiMain)

  29. Lsmwutxc says:

    <a href= SADDDDDDDDDDDDDDDDDDDD >DDDDDDDDDDDDDDDDDDD</a>, %-DDD,

  30. bugz says:

    anyone has the solution for that?

    i’m having this error when trying to synchronize msoutlook through a flash program. gees.

  31. Bikash Agrawala says:

    How detects that the process running in user mode is trying to access kernel mode Virtual Adress? Is it the processor or OS? Does the processor know about the User/Kernel mode address range?

  32. Bikash Agrawala says:

    Who detects that the process running in user mode is trying to access kernel mode Virtual Adress? Is it the processor or OS? Does the processor know about the User/Kernel mode address range?

  33. Jeff says:

    I just got it will a null pointer exception.  Add to your code a check if your input is null.

  34. AJ says:

    I got this during my Silktest executions. Any ideas to fix it?

    Event Type: Information

    Event Source: DrWatson

    Event Category: None

    Event ID: 4097

    Date: 6/27/2010

    Time: 11:04:32 AM

    User: N/A

    Computer: GUI55158

    Description:

    The application, C:progra~1borlandSilkTestAgent.exe, generated an application error The error occurred on 06/27/2010 @ 11:04:32.770 The exception generated was c0000005 at address 20058285 (AGENTDLL!TrueLogEnqueue)

    For more information, see Help and Support Center at go.microsoft.com/…/events.asp.