[Openais] [PATCH corosync] objdb memory violation (caught by valgrind)
angus salkeld
angus.salkeld at alliedtelesis.co.nz
Wed Oct 29 14:19:24 PDT 2008
Hi
Whilst running corosync under valgrind I found the following:
==2405== 1 errors in context 1 of 5:
==2405== Invalid write of size 1
==2405== at 0x40331D0: memcpy (in /opt/2/lib/valgrind/ppc32-linux/vgpreload_memcheck.so)
==2405== by 0x4A09EAC: object_key_replace (objdb.c:994)
==2405== by 0x4A81E8C: message_handler_req_lib_confdb_key_replace (confdb.c:425)
==2405== by 0x1000A198: prioritized_poll_thread (ipc.c:927)
==2405== by 0x4181AE4: (within /lib/libpthread-0.9.29.so)
==2405== by 0x41D186C: clone (in /lib/libuClibc-0.9.29.so)
==2405== Address 0x461bf25 is 0 bytes after a block of size 5 alloc'd
==2405== at 0x40300E8: malloc (in /opt/2/lib/valgrind/ppc32-linux/vgpreload_memcheck.so)
==2405== by 0x4A0A960: object_key_create (objdb.c:482)
==2405== by 0x4A1DBC0: parse_section (coroparse.c:133)
==2405== by 0x4A1DB50: parse_section (coroparse.c:121)
==2405== by 0x4A1DB50: parse_section (coroparse.c:121)
==2405== by 0x4A1DCC0: aisparser_readconfig (coroparse.c:175)
==2405== by 0x10005938: main (main.c:601)
If the new length is larger then memory will be overwritten.
I could make this ">=" but we can save memory if the new size is smaller by using "!=".
Regards
Angus
diff --git a/exec/objdb.c b/exec/objdb.c
index 1cfcddf..b0b60bb 100644
--- a/exec/objdb.c
+++ b/exec/objdb.c
@@ -1085,7 +1085,7 @@ static int object_key_replace (
}
}
- if (new_value_len <= object_key->value_len) {
+ if (new_value_len != object_key->value_len) {
void *replacement_value;
replacement_value = malloc(new_value_len);
if (!replacement_value)
More information about the Openais
mailing list