Fixed some bounds checking, and added some fairly rigorous memory

handling debug aids. No known memory corruption bugs remain, I think.
2025-03-11 15:03:56 +00:00 · 2012-03-22 17:10:27 +10:30 · 2012-03-22 17:10:27 +10:30 · 2b42f77ccf
commit 2b42f77ccf
parent 13d1d3084e
3 changed files with 77 additions and 13 deletions
--- a/overlay_buffer.c
+++ b/overlay_buffer.c
@ -80,7 +80,7 @@ int ob_makespace(overlay_buffer *b,int bytes)
    }
  }

-  if (0)
+  if (1)
    printf("ob_makespace(%p,%d)\n  b->bytes=%p,b->length=%d,b->allocSize=%d\n",
 	   b,bytes,b->bytes,b->length,b->allocSize);

@ -97,11 +97,33 @@ int ob_makespace(overlay_buffer *b,int bytes)
      }
      if (1) printf("  realloc(b->bytes=%p,newSize=%d)\n",
 	     b->bytes,newSize);
-#warning useless malloc() call to make sure that heap corruption check runs before we do any real work
-      void *p=malloc(1);
+      /* XXX OSX realloc() seems to be able to corrupt things if the heap is not happy when calling realloc().
+	 So will do a three-stage malloc,bcopy,free to see if we can tease the bug out that way. */
+      /*
 	unsigned char *r=realloc(b->bytes,newSize);
 	if (!r) return WHY("realloc() failed");
 	b->bytes=r; 
+      */
+#warning adding lots of padding to try to catch overruns
+      if (b->bytes) {
+	int i;
+	int corrupt=0;
+	for(i=0;i<4096;i++) if (b->bytes[b->allocSize+i]!=0xbd) corrupt++;
+	if (corrupt) {
+	  printf("!!!!!! %d corrupted bytes in overrun catch tray\n",corrupt);
+	  dump("overrun catch tray",&b->bytes[b->allocSize],4096);
+	  sleep(3600);
+	}
+      }
+      unsigned char *new=malloc(newSize+4096);
+      if (!new) return WHY("realloc() failed");
+      {
+	int i;
+	for(i=0;i<4096;i++) new[newSize+i]=0xbd;
+      }
+      bcopy(b->bytes,new,b->length);
+      if (b->bytes) free(b->bytes);
+      b->bytes=new;
      b->allocSize=newSize;
      return 0;
    }
@ -111,10 +133,12 @@ int ob_makespace(overlay_buffer *b,int bytes)

 int ob_setbyte(overlay_buffer *b,int ofs,unsigned char value)
 {
-  if (ofs<0||ofs>b->allocSize) {
+  if (ofs<0||ofs>=b->allocSize) {
    fprintf(stderr,"ERROR: Asked to set byte %d in overlay buffer %p, which has only %d allocated bytes.\n",
 	    ofs,b,b->allocSize);
-    exit(-1);
+#warning temporary debug
+    sleep(3600);
+    return -1;
  }
  b->bytes[ofs]=value;
  return 0;
@ -287,3 +311,27 @@ int ob_dump(overlay_buffer *b,char *desc)
    }
  return 0;
 }
+
+#undef malloc
+#undef calloc
+#undef free
+
+void *_serval_debug_malloc(unsigned int bytes,char *file,const char *func,int line)
+{
+  void *r=malloc(bytes);
+  fprintf(stderr,"%s:%d:%s(): malloc(%d) -> %p\n",file,line,func,bytes,r);
+  return r;
+}
+
+void *_serval_debug_calloc(unsigned int bytes,unsigned int count,char *file,const char *func,int line)
+{
+  void *r=calloc(bytes,count);
+  fprintf(stderr,"%s:%d:%s(): calloc(%d,%d) -> %p\n",file,line,func,bytes,count,r);
+  return r;
+}
+
+void _serval_debug_free(void *p,char *file,const char *func,int line)
+{
+  free(p);
+  fprintf(stderr,"%s:%d:%s(): free(%p)\n",file,line,func,p);
+}
--- a/rhizome_packetformats.c
+++ b/rhizome_packetformats.c
@ -73,9 +73,6 @@ int bundles_available=-1;
 int bundle_offset[2]={0,0};
 int overlay_rhizome_add_advertisements(int interface_number,overlay_buffer *e)
 {
-#warning Mac-specific debug thing here
-  setenv("MallocScribble","1",1);
-
  int pass;
  int bytes=e->sizeLimit-e->length;
  int overhead=1+8+1+3+1+1+1; /* maximum overhead */
@ -195,9 +192,11 @@ int overlay_rhizome_add_advertisements(int interface_number,overlay_buffer *e)
 	    int overhead=0;
 	    int frameFull=0;
 	    if (!pass) overhead=2;
-	    printf("e=%p, e->bytes=%p,e->length=%d\n",e,e->bytes,e->length);
+	    printf("e=%p, e->bytes=%p,e->length=%d, e->allocSize=%d\n",
+		   e,e->bytes,e->length,e->allocSize);
 	    
-	    if (ob_makespace(e,overhead+blob_bytes)) {
+	    
+	    if (ob_makespace(e,overhead+2+blob_bytes)) {
 	      if (debug&DEBUG_RHIZOME) 
 		fprintf(stderr,"Stopped cramming %s into Rhizome advertisement frame.\n",
 			pass?"BARs":"manifests");
@ -205,6 +204,8 @@ int overlay_rhizome_add_advertisements(int interface_number,overlay_buffer *e)
 	    }
 	    if (!pass) {
 	      /* put manifest length field and manifest ID */
+	      /* XXX why on earth is this being done this way, instead of 
+		 with ob_append_byte() ??? */		
 	      ob_setbyte(e,e->length,(blob_bytes>>8)&0xff);
 	      ob_setbyte(e,e->length+1,(blob_bytes>>0)&0xff);
 	      if (debug&DEBUG_RHIZOME)
@ -213,6 +214,11 @@ int overlay_rhizome_add_advertisements(int interface_number,overlay_buffer *e)
 	    if (frameFull) { 
 	      goto stopStuffing;
 	    }
+	    if (e->length+overhead+blob_bytes>=e->allocSize) {
+	      WHY("Reading blob will overflow overlay_buffer");
+#warning temporary debug measure
+	      sleep(3600);
+	    }
 	    if (sqlite3_blob_read(blob,&e->bytes[e->length+overhead],blob_bytes,0)
 		!=SQLITE_OK) {
 	      if (!pass) {
--- a/serval.h
+++ b/serval.h
@ -1052,3 +1052,13 @@ extern int mdp_client_socket;

 int ob_bcopy(overlay_buffer *b,int from, int to, int len);
 int ob_setbyte(overlay_buffer *b,int ofs,unsigned char value);
+
+#define malloc(X) _serval_debug_malloc(X,__FILE__,__FUNCTION__,__LINE__)
+#define calloc(X,Y) _serval_debug_calloc(X,Y,__FILE__,__FUNCTION__,__LINE__)
+#define free(X) _serval_debug_free(X,__FILE__,__FUNCTION__,__LINE__)
+
+void *_serval_debug_malloc(unsigned int bytes,char *file,const char *func,int line);
+void *_serval_debug_calloc(unsigned int bytes,unsigned int count,char *file,const char *func,int line);
+void _serval_debug_free(void *p,char *file,const char *func,int line);
+
+