Fixed some bounds checking, and added some fairly rigorous memory

handling debug aids. No known memory corruption bugs remain, I think.
2025-06-02 07:20:49 +00:00 · 2012-03-22 17:10:27 +10:30 · 2012-03-22 17:10:27 +10:30 · 2b42f77ccf
commit 2b42f77ccf
parent 13d1d3084e
3 changed files with 77 additions and 13 deletions
--- a/overlay_buffer.c
+++ b/overlay_buffer.c
@ -80,7 +80,7 @@ int ob_makespace(overlay_buffer *b,int bytes)
    }
  }
-  if (0)
+  if (1)
    printf("ob_makespace(%p,%d)\n  b->bytes=%p,b->length=%d,b->allocSize=%d\n",
 	   b,bytes,b->bytes,b->length,b->allocSize);
@ -97,11 +97,33 @@ int ob_makespace(overlay_buffer *b,int bytes)
      }
      if (1) printf("  realloc(b->bytes=%p,newSize=%d)\n",
 	     b->bytes,newSize);
-#warning useless malloc() call to make sure that heap corruption check runs before we do any real work
+      /* XXX OSX realloc() seems to be able to corrupt things if the heap is not happy when calling realloc().
-      void *p=malloc(1);
+	 So will do a three-stage malloc,bcopy,free to see if we can tease the bug out that way. */
-      unsigned char *r=realloc(b->bytes,newSize);
+      /*
-      if (!r) return WHY("realloc() failed");
+	unsigned char *r=realloc(b->bytes,newSize);
-      b->bytes=r;
+	if (!r) return WHY("realloc() failed");
 	b->bytes=r; 
      */
 #warning adding lots of padding to try to catch overruns
      if (b->bytes) {
 	int i;
 	int corrupt=0;
 	for(i=0;i<4096;i++) if (b->bytes[b->allocSize+i]!=0xbd) corrupt++;
 	if (corrupt) {
 	  printf("!!!!!! %d corrupted bytes in overrun catch tray\n",corrupt);
 	  dump("overrun catch tray",&b->bytes[b->allocSize],4096);
 	  sleep(3600);
 	}
      }
      unsigned char *new=malloc(newSize+4096);
      if (!new) return WHY("realloc() failed");
      {
 	int i;
 	for(i=0;i<4096;i++) new[newSize+i]=0xbd;
      }
      bcopy(b->bytes,new,b->length);
      if (b->bytes) free(b->bytes);
      b->bytes=new;
      b->allocSize=newSize;
      return 0;
    }
@ -111,10 +133,12 @@ int ob_makespace(overlay_buffer *b,int bytes)
 int ob_setbyte(overlay_buffer *b,int ofs,unsigned char value)
 {
-  if (ofs<0||ofs>b->allocSize) {
+  if (ofs<0||ofs>=b->allocSize) {
    fprintf(stderr,"ERROR: Asked to set byte %d in overlay buffer %p, which has only %d allocated bytes.\n",
 	    ofs,b,b->allocSize);
-    exit(-1);
+#warning temporary debug
    sleep(3600);
    return -1;
  }
  b->bytes[ofs]=value;
  return 0;
@ -287,3 +311,27 @@ int ob_dump(overlay_buffer *b,char *desc)
    }
  return 0;
 }
 #undef malloc
 #undef calloc
 #undef free
 void *_serval_debug_malloc(unsigned int bytes,char *file,const char *func,int line)
 {
  void *r=malloc(bytes);
  fprintf(stderr,"%s:%d:%s(): malloc(%d) -> %p\n",file,line,func,bytes,r);
  return r;
 }
 void *_serval_debug_calloc(unsigned int bytes,unsigned int count,char *file,const char *func,int line)
 {
  void *r=calloc(bytes,count);
  fprintf(stderr,"%s:%d:%s(): calloc(%d,%d) -> %p\n",file,line,func,bytes,count,r);
  return r;
 }
 void _serval_debug_free(void *p,char *file,const char *func,int line)
 {
  free(p);
  fprintf(stderr,"%s:%d:%s(): free(%p)\n",file,line,func,p);
 }
--- a/rhizome_packetformats.c
+++ b/rhizome_packetformats.c
@ -73,9 +73,6 @@ int bundles_available=-1;
 int bundle_offset[2]={0,0};
 int overlay_rhizome_add_advertisements(int interface_number,overlay_buffer *e)
 {
 #warning Mac-specific debug thing here
  setenv("MallocScribble","1",1);
  int pass;
  int bytes=e->sizeLimit-e->length;
  int overhead=1+8+1+3+1+1+1; /* maximum overhead */
@ -195,9 +192,11 @@ int overlay_rhizome_add_advertisements(int interface_number,overlay_buffer *e)
 	    int overhead=0;
 	    int frameFull=0;
 	    if (!pass) overhead=2;
-	    printf("e=%p, e->bytes=%p,e->length=%d\n",e,e->bytes,e->length);
+	    printf("e=%p, e->bytes=%p,e->length=%d, e->allocSize=%d\n",
 		   e,e->bytes,e->length,e->allocSize);
-	    if (ob_makespace(e,overhead+blob_bytes)) {
+	    
 	    if (ob_makespace(e,overhead+2+blob_bytes)) {
 	      if (debug&DEBUG_RHIZOME) 
 		fprintf(stderr,"Stopped cramming %s into Rhizome advertisement frame.\n",
 			pass?"BARs":"manifests");
@ -205,6 +204,8 @@ int overlay_rhizome_add_advertisements(int interface_number,overlay_buffer *e)
 	    }
 	    if (!pass) {
 	      /* put manifest length field and manifest ID */
 	      /* XXX why on earth is this being done this way, instead of 
 		 with ob_append_byte() ??? */		
 	      ob_setbyte(e,e->length,(blob_bytes>>8)&0xff);
 	      ob_setbyte(e,e->length+1,(blob_bytes>>0)&0xff);
 	      if (debug&DEBUG_RHIZOME)
@ -213,6 +214,11 @@ int overlay_rhizome_add_advertisements(int interface_number,overlay_buffer *e)
 	    if (frameFull) { 
 	      goto stopStuffing;
 	    }
 	    if (e->length+overhead+blob_bytes>=e->allocSize) {
 	      WHY("Reading blob will overflow overlay_buffer");
 #warning temporary debug measure
 	      sleep(3600);
 	    }
 	    if (sqlite3_blob_read(blob,&e->bytes[e->length+overhead],blob_bytes,0)
 		!=SQLITE_OK) {
 	      if (!pass) {
--- a/serval.h
+++ b/serval.h
@ -1052,3 +1052,13 @@ extern int mdp_client_socket;
 int ob_bcopy(overlay_buffer *b,int from, int to, int len);
 int ob_setbyte(overlay_buffer *b,int ofs,unsigned char value);
 #define malloc(X) _serval_debug_malloc(X,__FILE__,__FUNCTION__,__LINE__)
 #define calloc(X,Y) _serval_debug_calloc(X,Y,__FILE__,__FUNCTION__,__LINE__)
 #define free(X) _serval_debug_free(X,__FILE__,__FUNCTION__,__LINE__)
 void *_serval_debug_malloc(unsigned int bytes,char *file,const char *func,int line);
 void *_serval_debug_calloc(unsigned int bytes,unsigned int count,char *file,const char *func,int line);
 void _serval_debug_free(void *p,char *file,const char *func,int line);