mirror of https://github.com/F-Stack/f-stack.git
2aa28acdb3
Run with valgrind, and found this:
==2228== Invalid write of size 8
==2228== at 0x4E05DA: AliasSctpInit (alias_sctp.c:641)
==2228== by 0x4DE565: LibAliasInit (alias_db.c:2503)
==2228== by 0x4E9B3B: nat44_config (ip_fw_nat.c:505)
==2228== by 0x4E9E91: nat44_cfg (ip_fw_nat.c:599)
==2228== by 0x4F1719: ipfw_ctl3 (ip_fw_sockopt.c:3666)
==2228== by 0x4B9954: rip_ctloutput (raw_ip.c:659)
==2228== by 0x447E11: sosetopt (uipc_socket.c:2505)
==2228== by 0x44BF4D: kern_setsockopt (uipc_syscalls.c:1407)
==2228== by 0x409F08: ff_setsockopt (ff_syscall_wrapper.c:412)
==2228== by 0x5277AA: handle_ipfw_msg (ff_dpdk_if.c:1146)
==2228== by 0x52788C: handle_msg (ff_dpdk_if.c:1196)
==2228== by 0x5289B8: process_msg_ring (ff_dpdk_if.c:1213)
==2228== Address 0x60779b0 is 4,800 bytes inside a block of size 4,802
alloc'd
==2228== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==2228== by 0x509F15: ff_malloc (ff_host_interface.c:89)
==2228== by 0x4053BE: malloc (ff_glue.c:1021)
==2228== by 0x4E054E: AliasSctpInit (alias_sctp.c:632)
==2228== by 0x4DE565: LibAliasInit (alias_db.c:2503)
==2228== by 0x4E9B3B: nat44_config (ip_fw_nat.c:505)
==2228== by 0x4E9E91: nat44_cfg (ip_fw_nat.c:599)
==2228== by 0x4F1719: ipfw_ctl3 (ip_fw_sockopt.c:3666)
==2228== by 0x4B9954: rip_ctloutput (raw_ip.c:659)
==2228== by 0x447E11: sosetopt (uipc_socket.c:2505)
==2228== by 0x44BF4D: kern_setsockopt (uipc_syscalls.c:1407)
==2228== by 0x409F08: ff_setsockopt (ff_syscall_wrapper.c:412)
==2228==
The error line is:
`la->sctpNatTimer.TimerQ = sn_calloc(SN_TIMER_QUEUE_SIZE, sizeof(struct
sctpTimerQ));`
Since SN_TIMER_QUEUE_SIZE is defined as SN_MAX_TIMER+2, and sn_calloc is
defined as sn_malloc(x * n) if _SYS_MALLOC_H_ is defined, the size of
calloced memory will be wrong, because the macro will be expanded to
sizeof(struct sctpTimerQ)*SN_MAX_TIMER+2.
And the memory will be out of bounds here.
```
/* Initialise circular timer Q*/
for (i = 0; i < SN_TIMER_QUEUE_SIZE; i++)
LIST_INIT(&la->sctpNatTimer.TimerQ[i]);
```
|
||
|---|---|---|
| .. | ||
| cc | ||
| khelp | ||
| libalias | ||
| tcp_stacks | ||
| accf_data.c | ||
| accf_dns.c | ||
| accf_http.c | ||
| icmp6.h | ||
| icmp_var.h | ||
| if_atm.c | ||
| if_atm.h | ||
| if_ether.c | ||
| if_ether.h | ||
| igmp.c | ||
| igmp.h | ||
| igmp_var.h | ||
| in.c | ||
| in.h | ||
| in_cksum.c | ||
| in_debug.c | ||
| in_fib.c | ||
| in_fib.h | ||
| in_gif.c | ||
| in_kdtrace.c | ||
| in_kdtrace.h | ||
| in_mcast.c | ||
| in_pcb.c | ||
| in_pcb.h | ||
| in_pcbgroup.c | ||
| in_proto.c | ||
| in_rmx.c | ||
| in_rss.c | ||
| in_rss.h | ||
| in_systm.h | ||
| in_var.h | ||
| ip.h | ||
| ip6.h | ||
| ip_carp.c | ||
| ip_carp.h | ||
| ip_divert.c | ||
| ip_divert.h | ||
| ip_dummynet.h | ||
| ip_ecn.c | ||
| ip_ecn.h | ||
| ip_encap.c | ||
| ip_encap.h | ||
| ip_fastfwd.c | ||
| ip_fw.h | ||
| ip_gre.c | ||
| ip_icmp.c | ||
| ip_icmp.h | ||
| ip_id.c | ||
| ip_input.c | ||
| ip_ipsec.c | ||
| ip_ipsec.h | ||
| ip_mroute.c | ||
| ip_mroute.h | ||
| ip_options.c | ||
| ip_options.h | ||
| ip_output.c | ||
| ip_reass.c | ||
| ip_var.h | ||
| pim.h | ||
| pim_var.h | ||
| raw_ip.c | ||
| sctp.h | ||
| sctp_asconf.c | ||
| sctp_asconf.h | ||
| sctp_auth.c | ||
| sctp_auth.h | ||
| sctp_bsd_addr.c | ||
| sctp_bsd_addr.h | ||
| sctp_cc_functions.c | ||
| sctp_constants.h | ||
| sctp_crc32.c | ||
| sctp_crc32.h | ||
| sctp_dtrace_declare.h | ||
| sctp_dtrace_define.h | ||
| sctp_header.h | ||
| sctp_indata.c | ||
| sctp_indata.h | ||
| sctp_input.c | ||
| sctp_input.h | ||
| sctp_lock_bsd.h | ||
| sctp_os.h | ||
| sctp_os_bsd.h | ||
| sctp_output.c | ||
| sctp_output.h | ||
| sctp_pcb.c | ||
| sctp_pcb.h | ||
| sctp_peeloff.c | ||
| sctp_peeloff.h | ||
| sctp_ss_functions.c | ||
| sctp_structs.h | ||
| sctp_syscalls.c | ||
| sctp_sysctl.c | ||
| sctp_sysctl.h | ||
| sctp_timer.c | ||
| sctp_timer.h | ||
| sctp_uio.h | ||
| sctp_usrreq.c | ||
| sctp_var.h | ||
| sctputil.c | ||
| sctputil.h | ||
| siftr.c | ||
| tcp.h | ||
| tcp_debug.c | ||
| tcp_debug.h | ||
| tcp_fastopen.c | ||
| tcp_fastopen.h | ||
| tcp_fsm.h | ||
| tcp_hostcache.c | ||
| tcp_hostcache.h | ||
| tcp_input.c | ||
| tcp_lro.c | ||
| tcp_lro.h | ||
| tcp_offload.c | ||
| tcp_offload.h | ||
| tcp_output.c | ||
| tcp_pcap.c | ||
| tcp_pcap.h | ||
| tcp_reass.c | ||
| tcp_sack.c | ||
| tcp_seq.h | ||
| tcp_subr.c | ||
| tcp_syncache.c | ||
| tcp_syncache.h | ||
| tcp_timer.c | ||
| tcp_timer.h | ||
| tcp_timewait.c | ||
| tcp_usrreq.c | ||
| tcp_var.h | ||
| tcpip.h | ||
| toecore.c | ||
| toecore.h | ||
| udp.h | ||
| udp_usrreq.c | ||
| udp_var.h | ||
| udplite.h | ||