trying to find memory corruption bug, probably queue handling

related.
2024-12-18 20:57:56 +00:00 · 2012-04-20 17:10:57 +09:30 · 2012-04-20 17:10:57 +09:30 · 5c52c8e274
commit 5c52c8e274
parent 788cef0201
3 changed files with 26 additions and 7 deletions
--- a/keyring.c
+++ b/keyring.c
@ -241,9 +241,15 @@ void keyring_free_context(keyring_context *c)
 void keyring_free_identity(keyring_identity *id)
 {
  int i;
+  WHYF("id->PKRPin=%p\n",id->PKRPin);
  if (id->PKRPin) {
    /* Wipe pin before freeing (slightly tricky since this is a variable length string */
-    for(i=0;id->PKRPin[i];i++) id->PKRPin[i]=' '; i=0;
+    for(i=0;id->PKRPin[i];i++) {
+      fprintf(stderr,"clearing PIN char '%c'\n",id->PKRPin[i]);
+      id->PKRPin[i]=' '; }
+    i=0;
+    
+    WHYF("id->PKRPin=%p\n",id->PKRPin);
    free(id->PKRPin); id->PKRPin=NULL;
  }

@ -516,6 +522,8 @@ keyring_identity *keyring_unpack_identity(unsigned char *slot,char *pin)

  id->PKRPin=strdup(pin);

+  WHYF("id->PKRPin=%p\n",id->PKRPin);
+
  /* There was a known plain-text opportunity here:
     byte 96 must be 0x01, and some other bytes are likely deducible, e.g., the
     location of the trailing 0x00 byte can probably be guessed with confidence.
--- a/overlay_buffer.c
+++ b/overlay_buffer.c
@ -347,17 +347,19 @@ int ob_dump(overlay_buffer *b,char *desc)
 #undef malloc
 #undef calloc
 #undef free
+#undef realloc

+#define SDM_GUARD_AFTER 16384
 void *_serval_debug_malloc(unsigned int bytes,char *file,const char *func,int line)
 {
-  void *r=malloc(bytes);
+  void *r=malloc(bytes+SDM_GUARD_AFTER);
  fprintf(stderr,"%s:%d:%s(): malloc(%d) -> %p\n",file,line,func,bytes,r);
  return r;
 }

 void *_serval_debug_calloc(unsigned int bytes,unsigned int count,char *file,const char *func,int line)
 {
-  void *r=calloc(bytes,count);
+  void *r=calloc(bytes+SDM_GUARD_AFTER,count);
  fprintf(stderr,"%s:%d:%s(): calloc(%d,%d) -> %p\n",file,line,func,bytes,count,r);
  return r;
 }
--- a/overlay_interface.c
+++ b/overlay_interface.c
@ -583,14 +583,17 @@ int overlay_interface_discover()

 int overlay_stuff_packet_from_queue(int i,overlay_buffer *e,int q,long long now,overlay_frame *pax[],int *frame_pax,int frame_max_pax) 
 {
-  if (0) printf("Stuffing from queue #%d on interface #%d\n",q,i);
+  if (1) printf("Stuffing from queue #%d on interface #%d\n",q,i);
  overlay_frame **p=&overlay_tx[q].first;
-  while(p&&*p)
+  if (1) printf("A p=%p, *p=%p, queue=%d\n",p,*p,q);
+  while(p&&(*p))
    {
-      if (0) printf("p=%p, *p=%p, queue=%d\n",p,*p,q);
+      if (1) printf("B p=%p, *p=%p, queue=%d\n",p,*p,q);

      /* Throw away any stale frames */
-      overlay_frame *pp=*p;
+      overlay_frame *pp;
+
+      if (p) pp=*p;
      
      if (!pp) break;
      
@ -674,9 +677,15 @@ int overlay_stuff_packet_from_queue(int i,overlay_buffer *e,int q,long long now,
 	      }
 	  }
 	}
+
+      if (1) printf("C p=%p, *p=%p, queue=%d\n",p,*p,q);
+
      /* Consider next in queue */
      p=&(*p)->next;
+
+      if (1) printf("D p=%p, *p=%p, queue=%d\n",p,p?*p:-1,q);
    }
+  if (1) printf("returning from stuffing\n");
  return 0;
 }