[Openais] [PATCH corosync] objdb memory violation (caught by valgrind)

angus salkeld angus.salkeld at alliedtelesis.co.nz
Thu Oct 30 12:33:59 PDT 2008


Committed as revision 1680.

On Wed, 2008-10-29 at 21:37 -0700, Steven Dake wrote:
> good for commit
> regards
> -steve
> On Thu, 2008-10-30 at 10:19 +1300, angus salkeld wrote:
> > Hi
> > 
> > Whilst running corosync under valgrind I found the following:
> > 
> > ==2405== 1 errors in context 1 of 5:
> > ==2405== Invalid write of size 1
> > ==2405==    at 0x40331D0: memcpy (in /opt/2/lib/valgrind/ppc32-linux/vgpreload_memcheck.so)
> > ==2405==    by 0x4A09EAC: object_key_replace (objdb.c:994)
> > ==2405==    by 0x4A81E8C: message_handler_req_lib_confdb_key_replace (confdb.c:425)
> > ==2405==    by 0x1000A198: prioritized_poll_thread (ipc.c:927)
> > ==2405==    by 0x4181AE4: (within /lib/libpthread-0.9.29.so)
> > ==2405==    by 0x41D186C: clone (in /lib/libuClibc-0.9.29.so)
> > ==2405==  Address 0x461bf25 is 0 bytes after a block of size 5 alloc'd
> > ==2405==    at 0x40300E8: malloc (in /opt/2/lib/valgrind/ppc32-linux/vgpreload_memcheck.so)
> > ==2405==    by 0x4A0A960: object_key_create (objdb.c:482)
> > ==2405==    by 0x4A1DBC0: parse_section (coroparse.c:133)
> > ==2405==    by 0x4A1DB50: parse_section (coroparse.c:121)
> > ==2405==    by 0x4A1DB50: parse_section (coroparse.c:121)
> > ==2405==    by 0x4A1DCC0: aisparser_readconfig (coroparse.c:175)
> > ==2405==    by 0x10005938: main (main.c:601)
> > 
> > If the new length is larger then memory will be overwritten.
> > 
> > I could make this ">=" but we can save memory if the new size is smaller by using "!=".
> > 
> > Regards
> > Angus
> > 
> > diff --git a/exec/objdb.c b/exec/objdb.c
> > index 1cfcddf..b0b60bb 100644
> > --- a/exec/objdb.c
> > +++ b/exec/objdb.c
> > @@ -1085,7 +1085,7 @@ static int object_key_replace (
> >                         }
> >                 }
> > 
> > -           if (new_value_len <= object_key->value_len) {
> > +         if (new_value_len != object_key->value_len) {
> >                         void *replacement_value;
> >                         replacement_value = malloc(new_value_len);
> >                         if (!replacement_value)
> > 
> > _______________________________________________
> > Openais mailing list
> > Openais at lists.linux-foundation.org
> > https://lists.linux-foundation.org/mailman/listinfo/openais
> 
> _______________________________________________
> Openais mailing list
> Openais at lists.linux-foundation.org
> https://lists.linux-foundation.org/mailman/listinfo/openais
-- 
Angus Salkeld

Allied Telesis Labs Ltd.
New Zealand



More information about the Openais mailing list