[Openais] [PATCH corosync] objdb memory violation (caught by valgrind)

angus salkeld angus.salkeld at alliedtelesis.co.nz
Wed Oct 29 14:19:24 PDT 2008


Hi

Whilst running corosync under valgrind I found the following:

==2405== 1 errors in context 1 of 5:
==2405== Invalid write of size 1
==2405==    at 0x40331D0: memcpy (in /opt/2/lib/valgrind/ppc32-linux/vgpreload_memcheck.so)
==2405==    by 0x4A09EAC: object_key_replace (objdb.c:994)
==2405==    by 0x4A81E8C: message_handler_req_lib_confdb_key_replace (confdb.c:425)
==2405==    by 0x1000A198: prioritized_poll_thread (ipc.c:927)
==2405==    by 0x4181AE4: (within /lib/libpthread-0.9.29.so)
==2405==    by 0x41D186C: clone (in /lib/libuClibc-0.9.29.so)
==2405==  Address 0x461bf25 is 0 bytes after a block of size 5 alloc'd
==2405==    at 0x40300E8: malloc (in /opt/2/lib/valgrind/ppc32-linux/vgpreload_memcheck.so)
==2405==    by 0x4A0A960: object_key_create (objdb.c:482)
==2405==    by 0x4A1DBC0: parse_section (coroparse.c:133)
==2405==    by 0x4A1DB50: parse_section (coroparse.c:121)
==2405==    by 0x4A1DB50: parse_section (coroparse.c:121)
==2405==    by 0x4A1DCC0: aisparser_readconfig (coroparse.c:175)
==2405==    by 0x10005938: main (main.c:601)

If the new length is larger then memory will be overwritten.

I could make this ">=" but we can save memory if the new size is smaller by using "!=".

Regards
Angus

diff --git a/exec/objdb.c b/exec/objdb.c
index 1cfcddf..b0b60bb 100644
--- a/exec/objdb.c
+++ b/exec/objdb.c
@@ -1085,7 +1085,7 @@ static int object_key_replace (
                        }
                }

-           if (new_value_len <= object_key->value_len) {
+         if (new_value_len != object_key->value_len) {
                        void *replacement_value;
                        replacement_value = malloc(new_value_len);
                        if (!replacement_value)



More information about the Openais mailing list