mirror of https://github.com/F-Stack/f-stack.git
7f92df961d
Run with valgrind, and found this: ==2228== Invalid write of size 8 ==2228== at 0x4E05DA: AliasSctpInit (alias_sctp.c:641) ==2228== by 0x4DE565: LibAliasInit (alias_db.c:2503) ==2228== by 0x4E9B3B: nat44_config (ip_fw_nat.c:505) ==2228== by 0x4E9E91: nat44_cfg (ip_fw_nat.c:599) ==2228== by 0x4F1719: ipfw_ctl3 (ip_fw_sockopt.c:3666) ==2228== by 0x4B9954: rip_ctloutput (raw_ip.c:659) ==2228== by 0x447E11: sosetopt (uipc_socket.c:2505) ==2228== by 0x44BF4D: kern_setsockopt (uipc_syscalls.c:1407) ==2228== by 0x409F08: ff_setsockopt (ff_syscall_wrapper.c:412) ==2228== by 0x5277AA: handle_ipfw_msg (ff_dpdk_if.c:1146) ==2228== by 0x52788C: handle_msg (ff_dpdk_if.c:1196) ==2228== by 0x5289B8: process_msg_ring (ff_dpdk_if.c:1213) ==2228== Address 0x60779b0 is 4,800 bytes inside a block of size 4,802 alloc'd ==2228== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296) ==2228== by 0x509F15: ff_malloc (ff_host_interface.c:89) ==2228== by 0x4053BE: malloc (ff_glue.c:1021) ==2228== by 0x4E054E: AliasSctpInit (alias_sctp.c:632) ==2228== by 0x4DE565: LibAliasInit (alias_db.c:2503) ==2228== by 0x4E9B3B: nat44_config (ip_fw_nat.c:505) ==2228== by 0x4E9E91: nat44_cfg (ip_fw_nat.c:599) ==2228== by 0x4F1719: ipfw_ctl3 (ip_fw_sockopt.c:3666) ==2228== by 0x4B9954: rip_ctloutput (raw_ip.c:659) ==2228== by 0x447E11: sosetopt (uipc_socket.c:2505) ==2228== by 0x44BF4D: kern_setsockopt (uipc_syscalls.c:1407) ==2228== by 0x409F08: ff_setsockopt (ff_syscall_wrapper.c:412) ==2228== The error line is: `la->sctpNatTimer.TimerQ = sn_calloc(SN_TIMER_QUEUE_SIZE, sizeof(struct sctpTimerQ));` Since SN_TIMER_QUEUE_SIZE is defined as SN_MAX_TIMER+2, and sn_calloc is defined as sn_malloc(x * n) if _SYS_MALLOC_H_ is defined, the size of calloced memory will be wrong, because the macro will be expanded to sizeof(struct sctpTimerQ)*SN_MAX_TIMER+2. And the memory will be out of bounds here. ``` /* Initialise circular timer Q*/ for (i = 0; i < SN_TIMER_QUEUE_SIZE; i++) LIST_INIT(&la->sctpNatTimer.TimerQ[i]); ``` |
||
---|---|---|
.. | ||
cc | ||
khelp | ||
libalias | ||
tcp_stacks | ||
accf_data.c | ||
accf_dns.c | ||
accf_http.c | ||
icmp6.h | ||
icmp_var.h | ||
if_atm.c | ||
if_atm.h | ||
if_ether.c | ||
if_ether.h | ||
igmp.c | ||
igmp.h | ||
igmp_var.h | ||
in.c | ||
in.h | ||
in_cksum.c | ||
in_debug.c | ||
in_fib.c | ||
in_fib.h | ||
in_gif.c | ||
in_kdtrace.c | ||
in_kdtrace.h | ||
in_mcast.c | ||
in_pcb.c | ||
in_pcb.h | ||
in_pcbgroup.c | ||
in_proto.c | ||
in_rmx.c | ||
in_rss.c | ||
in_rss.h | ||
in_systm.h | ||
in_var.h | ||
ip.h | ||
ip6.h | ||
ip_carp.c | ||
ip_carp.h | ||
ip_divert.c | ||
ip_divert.h | ||
ip_dummynet.h | ||
ip_ecn.c | ||
ip_ecn.h | ||
ip_encap.c | ||
ip_encap.h | ||
ip_fastfwd.c | ||
ip_fw.h | ||
ip_gre.c | ||
ip_icmp.c | ||
ip_icmp.h | ||
ip_id.c | ||
ip_input.c | ||
ip_ipsec.c | ||
ip_ipsec.h | ||
ip_mroute.c | ||
ip_mroute.h | ||
ip_options.c | ||
ip_options.h | ||
ip_output.c | ||
ip_reass.c | ||
ip_var.h | ||
pim.h | ||
pim_var.h | ||
raw_ip.c | ||
sctp.h | ||
sctp_asconf.c | ||
sctp_asconf.h | ||
sctp_auth.c | ||
sctp_auth.h | ||
sctp_bsd_addr.c | ||
sctp_bsd_addr.h | ||
sctp_cc_functions.c | ||
sctp_constants.h | ||
sctp_crc32.c | ||
sctp_crc32.h | ||
sctp_dtrace_declare.h | ||
sctp_dtrace_define.h | ||
sctp_header.h | ||
sctp_indata.c | ||
sctp_indata.h | ||
sctp_input.c | ||
sctp_input.h | ||
sctp_lock_bsd.h | ||
sctp_os.h | ||
sctp_os_bsd.h | ||
sctp_output.c | ||
sctp_output.h | ||
sctp_pcb.c | ||
sctp_pcb.h | ||
sctp_peeloff.c | ||
sctp_peeloff.h | ||
sctp_ss_functions.c | ||
sctp_structs.h | ||
sctp_syscalls.c | ||
sctp_sysctl.c | ||
sctp_sysctl.h | ||
sctp_timer.c | ||
sctp_timer.h | ||
sctp_uio.h | ||
sctp_usrreq.c | ||
sctp_var.h | ||
sctputil.c | ||
sctputil.h | ||
siftr.c | ||
tcp.h | ||
tcp_debug.c | ||
tcp_debug.h | ||
tcp_fastopen.c | ||
tcp_fastopen.h | ||
tcp_fsm.h | ||
tcp_hostcache.c | ||
tcp_hostcache.h | ||
tcp_input.c | ||
tcp_lro.c | ||
tcp_lro.h | ||
tcp_offload.c | ||
tcp_offload.h | ||
tcp_output.c | ||
tcp_pcap.c | ||
tcp_pcap.h | ||
tcp_reass.c | ||
tcp_sack.c | ||
tcp_seq.h | ||
tcp_subr.c | ||
tcp_syncache.c | ||
tcp_syncache.h | ||
tcp_timer.c | ||
tcp_timer.h | ||
tcp_timewait.c | ||
tcp_usrreq.c | ||
tcp_var.h | ||
tcpip.h | ||
toecore.c | ||
toecore.h | ||
udp.h | ||
udp_usrreq.c | ||
udp_var.h | ||
udplite.h |