X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C80CF7.BFA34616@onstor-exch02.onstor.net>; Fri, 12 Oct 2007 09:45:59 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C80CF7.BFA34616"
Content-class: urn:content-classes:message
Subject: FW: dmalloc question
Date: Fri, 12 Oct 2007 09:45:59 -0800
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E030E38F2@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: dmalloc question
Thread-Index: AcgLlZ0K4kn0ISoJRzer0mOb2hXVGwAAKZagAAAy9hAAABkZMAA1tGsAAAOfwcoAHqZ7UA==
From: "Mike Lee" <mike.lee@onstor.com>
To: "dl-Software" <dl-software@onstor.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C80CF7.BFA34616
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Team:
Per recommendation from Tim, I'm sending this finding to this =
distribution list.
It involves a call to memcpy where we are specifying a size larger than =
what the source was allocated with.
It may be easier to reference the code I described.
Thanks.
-Mike=20

  _____ =20

From: Mike Lee
Sent: Thu 10/11/2007 8:00 PM
To: Maxim Kozlovsky; dl-Cougar
Subject: RE: dmalloc question



Max & All:

Hats off to Jeff, who has it figured out...

In the memcpy() call at hand, the size of the copy operation is =
incorrectly set to be sizeof(nfx_eventMsg_t), inside =
event_forwardToLocalApps().

Instead, we should use the actual message size, as encapsulated in the =
len field of the rms_sg_t structure:

    184 /* SSC side scatter gather list */

    185 typedef struct rmc_sg_s {

    186     void    *buf;

    187     size_t  len;

    188 } rmc_sg_t;

Tracing the RMC message to its origin, the scatter get list element =
(i.e. memcpy source) is actually allocated in cshare_sendEvent(), =
cmd_cshare.c:

    147     nfx_eventMsg_t *event;

    148     cshare_event_t *cshareEvent;

    149     int size;

    150     int baseSize =3D (offsetof(nfx_eventMsg_t, =
param.cshareEvent) +

    151                     sizeof(*cshareEvent) + =
SUM_CIFS_DSHARE_LENGTHS(dshare));

    152=20

    153     switch (changeType) {

    154         case EVENT_CSHARE_ADD:

    155         case EVENT_CSHARE_MODIFY:

    156         case EVENT_CSHARE_DELETE:

    157             size =3D baseSize;

    158             break;

:

    167     }

    168     event =3D malloc(size);

The size value is eventually passed into rmc_send_msg() where it gets =
copied into the len field mentioned above.

So, at least for the case where size is less than the =
sizeof(nfx_eventMsg_t), we can hit the reading-beyond-allocated-range =
problem, as flagged by dmallco().

(There is also the case where the message gets fragmented into mtu parts =
to consider).

Unfortunately, there is a disconnect where the the len field is not =
readily available to the violating event function. =20

I will probably need to modify function signatures to fix this one.

Also, Jeff and I suspect that we may have similar problems in other RMC =
clients, as we tend copy code around.

-Mike

	 -----Original Message-----

	From:   Maxim Kozlovsky =20

	Sent:   Wednesday, October 10, 2007 4:45 PM

	To:     Mike Lee; dl-Cougar

	Subject:        RE: dmalloc question

	No it does not.

	_dmalloc_memcpy (file=3D0x40dc80 "event.c", line=3D591, =
to=3D0x2aae1078, from=3D0x2aaeec78, len=3D1248)

	pointer '0x2aaeec78' is the "from", not "to".

	_____________________________________________
From: Mike Lee
Sent: Wednesday, October 10, 2007 4:43 PM
To: Maxim Kozlovsky; dl-Cougar
Subject: RE: dmalloc question

	Max:

	I thought of that possibility, but the log from malloc indicates that =
it was complaining about the destination:

	1192040788: 3426:   pointer '0x2aaeec78' from 'unknown' prev access =
'rmc_api.c:2061'

	1192040788: 3426: ERROR: memcpy: use of pointer would exceed allocation =
(err 28)

	However, I will also review the code pertinent to the memcpy source.

	Thanks!
-Mike

	 -----Original Message-----

	From:   Maxim Kozlovsky =20

	Sent:   Wednesday, October 10, 2007 4:39 PM

	To:     Mike Lee; dl-Cougar

	Subject:        RE: dmalloc question

	The error must be not on the target of the memcpy but on the source.

	In my build, this is reproducible by doing "cifs share create"

	_____________________________________________
From: Mike Lee
Sent: Wednesday, October 10, 2007 4:31 PM
To: dl-Cougar
Subject: dmalloc question

	To the software members of the team:

	Concerning the dmalloc error from eventd that Max collected...

	The dmalloc log indicates the following:

	1192040788: 3426: process pid =3D 1816

	1192040788: 3426:   error details: pointer-check

	1192040788: 3426:   pointer '0x2aaeec78' from 'unknown' prev access =
'rmc_api.c:2061'

	1192040788: 3426: ERROR: memcpy: use of pointer would exceed allocation =
(err 28)

	While the stack frames of interest from the corresponding eventd core =
are:

	#8  0x2b581134 in _dmalloc_memcpy (file=3D0x40dc80 "event.c", =
line=3D591, to=3D0x2aae1078, from=3D0x2aaeec78, len=3D1248) at =
arg_check.c:251

	#9  0x00403be8 in rmc_async_send (sess=3D0x484aa0, buf=3D0x2aaeec78, =
bufsz=3D1248, tag=3D0, rpc_id=3D0, mode=3D8) at event.c:591

	#10 0x00404638 in event_forwardToLocalApps (eventMsg=3D0x2aaeec78, =
eventId=3D36) at event.c:719

	Focusing on Frame 9 where the memcpy() call resides:

	event.c, rmc_async_send()

	    578 rmc_async_send(evt_rmc_session_t *sess, void *buf, ssize_t =
bufsz,

	    579                    uint32_t tag, uint32_t rpc_id, uint32_t =
mode)

	    580 {

	:

	    585     msg =3D (rmc_msg_t *)rmc_alloc_msg(bufsz);

	    586     if (msg =3D=3D NULL) {

	    587         ASSERT(0);

	    588         return RMC_NOMEM;

	    589     }

	    590

	    591     memcpy(msg->sg_list[0].buf, buf, bufsz);

	It would appear that perhaps rmc_alloc_msg() is not allocating enough.

	However, my review of rmc_alloc_msg(), with help from Rendell, did not =
identify any problem.

	   2054 API rmc_msg_t *

	   2055 rmc_alloc_msg(int32 sz)

	   2056 {

	   2057     rmc_msg_t *msg;

	   2058=20

	   2059     if (!(msg =3D (rmc_msg_t *)calloc(sizeof(rmc_msg_t) + sz, =
1))) {

	   2060         //return NULL;

	   2061         // May be leaking memory.  Abort and let pm restart the =
daemons.

	   2062         abort();

	   2063     }

	   2064=20

	   2065     if (sz) {

	   2066         msg->sg_cnt =3D 1;

	   2067         msg->sg_list[0].buf =3D ((char *)msg + =
sizeof(rmc_msg_t));  <=3D=3D=3D=3D=3D=3D=3D I think this setting is =
okay, though unconventional

	   2068         msg->sg_list[0].len =3D sz;

	   2069         msg->ihdr.msg_len =3D sz;

	   2070=20

	   2071     } else {

	   2072         msg->sg_cnt =3D 0;

	   2073         msg->ihdr.msg_len =3D 0;

	   2074     }

	   2075=20

	   2076     /* JTOF - we set the type here (negative for RMC) so apps =
know

	   2077      * if they did the alloc or the RMC layer did. It's not =
checked

	   2078      * by the free routine because we alloc mallocs - if/when a =


	   2079      * pre-allocated list is added, this flag will be used to=20

	   2080      * mark these messages

	   2081      */

	   2082     msg->memtyp =3D -1;

	   2083     return msg;

	   2084 }

	Though the single call to calloc() is a little unusual, I don't see a =
problem with this efficient logic.

	So, my question is: could dmalloc report false-positives?

	Also, should I break this calloc call into two calls (one for msg and =
the other for buf), for sake of clarity?

	Thanks.

	-Mike


------_=_NextPart_001_01C80CF7.BFA34616
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=3Dltr><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<TITLE>RE: dmalloc question</TITLE>

<META content=3D"MSHTML 6.00.2800.1601" name=3DGENERATOR></HEAD>
<BODY>
<DIV dir=3Dltr><SPAN class=3D789154317-12102007><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Team:</FONT></SPAN></DIV>
<DIV dir=3Dltr><SPAN class=3D789154317-12102007><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Per recommendation&nbsp;from Tim, I'm sending this finding to =
this=20
distribution list.</FONT></SPAN></DIV>
<DIV dir=3Dltr><SPAN class=3D789154317-12102007><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>It involves a call to memcpy where we are specifying a size =
larger than=20
what the source was allocated with.</FONT></SPAN></DIV>
<DIV dir=3Dltr><SPAN class=3D789154317-12102007><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>It may be easier to reference the code I =
described.</FONT></SPAN></DIV>
<DIV dir=3Dltr><SPAN class=3D789154317-12102007><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>Thanks.</FONT></SPAN></DIV>
<DIV dir=3Dltr><SPAN class=3D789154317-12102007><FONT face=3DArial =
color=3D#0000ff=20
size=3D2>-Mike</FONT>&nbsp;</SPAN><BR></DIV>
<DIV dir=3Dltr>
<HR tabIndex=3D-1>
</DIV>
<DIV dir=3Dltr><FONT face=3DTahoma size=3D2><B>From:</B> Mike =
Lee<BR><B>Sent:</B> Thu=20
10/11/2007 8:00 PM<BR><B>To:</B> Maxim Kozlovsky; =
dl-Cougar<BR><B>Subject:</B>=20
RE: dmalloc question<BR></FONT><BR></DIV>
<DIV>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>Max &amp; =
All:</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>Hats off to =
Jeff, who has it=20
figured out...</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>In the memcpy() =
call at hand,=20
the size of the copy operation is incorrectly set to be =
sizeof(nfx_eventMsg_t),=20
inside event_forwardToLocalApps().</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>Instead, we =
should use the=20
actual message size, as encapsulated in the len field of the rms_sg_t=20
structure:</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp; 184 /* SSC=20
side scatter gather list */</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp; 185 typedef=20
struct rmc_sg_s {</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
186&nbsp;&nbsp;&nbsp;&nbsp; void&nbsp;&nbsp;&nbsp; *buf;</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
187&nbsp;&nbsp;&nbsp;&nbsp; size_t&nbsp; len;</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp; 188 }=20
rmc_sg_t;</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>Tracing the RMC =
message to its=20
origin, the scatter get list element (i.e. memcpy source) is actually =
allocated=20
in cshare_sendEvent(), cmd_cshare.c:</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
147&nbsp;&nbsp;&nbsp;&nbsp; nfx_eventMsg_t *event;</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
148&nbsp;&nbsp;&nbsp;&nbsp; cshare_event_t *cshareEvent;</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
149&nbsp;&nbsp;&nbsp;&nbsp; int size;</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
150&nbsp;&nbsp;&nbsp;&nbsp; int baseSize =3D (offsetof(nfx_eventMsg_t,=20
param.cshareEvent) +</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
151&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
sizeof(*cshareEvent) + SUM_CIFS_DSHARE_LENGTHS(dshare));</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp; 152=20
</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
153&nbsp;&nbsp;&nbsp;&nbsp; switch (changeType) {</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
154&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case=20
EVENT_CSHARE_ADD:</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
155&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case=20
EVENT_CSHARE_MODIFY:</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
156&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case=20
EVENT_CSHARE_DELETE:</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
157&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; size=20
=3D baseSize;</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
158&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;=20
break;</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>:</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
167&nbsp;&nbsp;&nbsp;&nbsp; }</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>&nbsp;&nbsp;&nbsp;=20
168&nbsp;&nbsp;&nbsp;&nbsp; event =3D malloc(size);</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>The size value =
is eventually=20
passed into rmc_send_msg() where it gets copied into the len field =
mentioned=20
above.</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>So, at least =
for the case where=20
size is less than the sizeof(nfx_eventMsg_t), we can hit the=20
reading-beyond-allocated-range problem, as flagged by =
dmallco().</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>(There is also =
the case where=20
the message gets fragmented into mtu parts to consider).</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>Unfortunately, =
there is a=20
disconnect where the the len field is not readily available to the =
violating=20
event function.&nbsp; </FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>I will probably =
need to modify=20
function signatures to fix this one.</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff size=3D2>Also, Jeff and =
I suspect that=20
we may have similar problems in other RMC clients, as we tend copy code=20
around.</FONT></P>
<P dir=3Dltr><FONT face=3DArial color=3D#0000ff =
size=3D2>-Mike</FONT></P>
<UL dir=3Dltr>
  <P dir=3Dltr><FONT face=3DArial><SPAN lang=3Den-us></SPAN></FONT><SPAN =

  lang=3Den-us>&nbsp;<FONT face=3DTahoma size=3D1>-----Original=20
  Message-----</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><B><FONT face=3DTahoma size=3D1>From:=20
  &nbsp;</FONT></B> <FONT face=3DTahoma size=3D1>Maxim Kozlovsky&nbsp;=20
  </FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><B><FONT face=3DTahoma=20
  size=3D1>Sent:&nbsp;&nbsp;</FONT></B> <FONT face=3DTahoma =
size=3D1>Wednesday,=20
  October 10, 2007 4:45 PM</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><B><FONT face=3DTahoma=20
  size=3D1>To:&nbsp;&nbsp;&nbsp;&nbsp;</FONT></B> <FONT face=3DTahoma =
size=3D1>Mike=20
  Lee; dl-Cougar</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><B><FONT face=3DTahoma=20
  size=3D1>Subject:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></B> =
<FONT=20
  face=3DTahoma size=3D1>RE: dmalloc question</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial color=3D#000080 =
size=3D2>No it does=20
  not.</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>_dmalloc_memcpy=20
  (file=3D0x40dc80 "event.c", line=3D591, to=3D0x2aae1078, =
from=3D0x2aaeec78,=20
  len=3D1248)</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>pointer =
'0x2aaeec78' is=20
  the &#8220;from&#8221;, not &#8220;to&#8221;.</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DTahoma=20
  =
size=3D2>_____________________________________________<BR></FONT></SPAN><=
SPAN=20
  lang=3Den-us><B><FONT face=3DTahoma size=3D2>From:</FONT></B><FONT =
face=3DTahoma=20
  size=3D2> Mike Lee<BR></FONT><B><FONT face=3DTahoma =
size=3D2>Sent:</FONT></B><FONT=20
  face=3DTahoma size=3D2> Wednesday, October 10, 2007 4:43 =
PM<BR></FONT><B><FONT=20
  face=3DTahoma size=3D2>To:</FONT></B><FONT face=3DTahoma size=3D2> =
Maxim Kozlovsky;=20
  dl-Cougar<BR></FONT><B><FONT face=3DTahoma =
size=3D2>Subject:</FONT></B><FONT=20
  face=3DTahoma size=3D2> RE: dmalloc question</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial color=3D#0000ff=20
  size=3D2>Max:</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial color=3D#0000ff =
size=3D2>I thought of=20
  that possibility, but the log from malloc indicates that it was =
complaining=20
  about the destination:</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>1192040788:=20
  3426:&nbsp;&nbsp; pointer '0x2aaeec78' from 'unknown' prev access=20
  'rmc_api.c:2061'</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>1192040788: 3426: ERROR:=20
  memcpy: use of pointer would exceed allocation (err =
28)</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial color=3D#0000ff =
size=3D2>However, I=20
  will also review the code pertinent to the memcpy =
source.</FONT></SPAN></P>
  <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial color=3D#0000ff=20
  size=3D2>Thanks!<BR>-Mike</FONT></SPAN></P>
  <UL dir=3Dltr>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT =
face=3DArial></FONT></SPAN><SPAN=20
    lang=3Den-us></SPAN><SPAN lang=3Den-us>&nbsp;<FONT face=3DTahoma=20
    size=3D1>-----Original Message-----</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><B><FONT face=3DTahoma =
size=3D1>From:=20
    &nbsp;</FONT></B> <FONT face=3DTahoma size=3D1>Maxim Kozlovsky&nbsp; =

    </FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><B><FONT face=3DTahoma=20
    size=3D1>Sent:&nbsp;&nbsp;</FONT></B> <FONT face=3DTahoma =
size=3D1>Wednesday,=20
    October 10, 2007 4:39 PM</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><B><FONT face=3DTahoma=20
    size=3D1>To:&nbsp;&nbsp;&nbsp;&nbsp;</FONT></B> <FONT face=3DTahoma =
size=3D1>Mike=20
    Lee; dl-Cougar</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><B><FONT face=3DTahoma=20
    =
size=3D1>Subject:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></B> =
<FONT=20
    face=3DTahoma size=3D1>RE: dmalloc question</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial color=3D#000080 =
size=3D2>The error=20
    must be not on the target of the memcpy but on the =
source.</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial color=3D#000080 =
size=3D2>In my=20
    build, this is reproducible by doing &#8220;cifs share =
create&#8221;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DTahoma=20
    =
size=3D2>_____________________________________________<BR></FONT></SPAN><=
SPAN=20
    lang=3Den-us><B><FONT face=3DTahoma size=3D2>From:</FONT></B><FONT =
face=3DTahoma=20
    size=3D2> Mike Lee<BR></FONT><B><FONT face=3DTahoma =
size=3D2>Sent:</FONT></B><FONT=20
    face=3DTahoma size=3D2> Wednesday, October 10, 2007 4:31 =
PM<BR></FONT><B><FONT=20
    face=3DTahoma size=3D2>To:</FONT></B><FONT face=3DTahoma size=3D2>=20
    dl-Cougar<BR></FONT><B><FONT face=3DTahoma =
size=3D2>Subject:</FONT></B><FONT=20
    face=3DTahoma size=3D2> dmalloc question</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>To the =
software members=20
    of the team:</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>Concerning the dmalloc=20
    error from eventd that Max collected...</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>The =
dmalloc log=20
    indicates the following:</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>1192040788: 3426:=20
    process pid =3D 1816</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>1192040788:=20
    3426:&nbsp;&nbsp; error details: pointer-check</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>1192040788:=20
    3426:&nbsp;&nbsp; pointer '0x2aaeec78' from 'unknown' prev access=20
    'rmc_api.c:2061'</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>1192040788: 3426: ERROR:=20
    memcpy: use of pointer would exceed allocation (err =
28)</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>While =
the stack frames=20
    of interest from the corresponding eventd core =
are:</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>#8&nbsp; =
0x2b581134 in=20
    _dmalloc_memcpy (file=3D0x40dc80 "event.c", line=3D591, =
to=3D0x2aae1078,=20
    from=3D0x2aaeec78, len=3D1248) at arg_check.c:251</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>#9&nbsp; =
0x00403be8 in=20
    rmc_async_send (sess=3D0x484aa0, buf=3D0x2aaeec78, bufsz=3D1248, =
tag=3D0, rpc_id=3D0,=20
    mode=3D8) at event.c:591</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>#10 =
0x00404638 in=20
    event_forwardToLocalApps (eventMsg=3D0x2aaeec78, eventId=3D36) at=20
    event.c:719</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>Focusing =
on Frame 9=20
    where the memcpy() call resides:</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>event.c, =

    rmc_async_send()</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;&nbsp; 578=20
    rmc_async_send(evt_rmc_session_t *sess, void *buf, ssize_t=20
    bufsz,</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;&nbsp;=20
    =
579&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    uint32_t tag, uint32_t rpc_id, uint32_t mode)</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;&nbsp; 580=20
    {</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>:</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;&nbsp;=20
    585&nbsp;&nbsp;&nbsp;&nbsp; msg =3D (rmc_msg_t=20
    *)rmc_alloc_msg(bufsz);</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;&nbsp;=20
    586&nbsp;&nbsp;&nbsp;&nbsp; if (msg =3D=3D NULL) {</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;&nbsp;=20
    587&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    ASSERT(0);</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;&nbsp;=20
    588&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return=20
    RMC_NOMEM;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;&nbsp;=20
    589&nbsp;&nbsp;&nbsp;&nbsp; }</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;&nbsp;=20
    590</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;&nbsp;=20
    591&nbsp;&nbsp;&nbsp;&nbsp; memcpy(msg-&gt;sg_list[0].buf, buf,=20
    bufsz);</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>It would =
appear that=20
    perhaps rmc_alloc_msg() is not allocating enough.</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>However, =
my review of=20
    rmc_alloc_msg(), with help from Rendell, did not identify any=20
    problem.</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp; 2054 API=20
    rmc_msg_t *</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp; 2055=20
    rmc_alloc_msg(int32 sz)</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp; 2056=20
    {</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2057&nbsp;&nbsp;&nbsp;&nbsp; rmc_msg_t *msg;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp; 2058=20
    </FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2059&nbsp;&nbsp;&nbsp;&nbsp; if (!(msg =3D (rmc_msg_t=20
    *)calloc(sizeof(rmc_msg_t) + sz, 1))) {</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2060&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //return=20
    NULL;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2061&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // May be =
leaking=20
    memory.&nbsp; Abort and let pm restart the =
daemons.</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2062&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    abort();</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2063&nbsp;&nbsp;&nbsp;&nbsp; }</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp; 2064=20
    </FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2065&nbsp;&nbsp;&nbsp;&nbsp; if (sz) {</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2066&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; msg-&gt;sg_cnt =
=3D=20
    1;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2067&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
msg-&gt;sg_list[0].buf=20
    =3D ((char *)msg + sizeof(rmc_msg_t));&nbsp; =
&lt;=3D=3D=3D=3D=3D=3D=3D I think this setting=20
    is okay, though unconventional</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2068&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
msg-&gt;sg_list[0].len=20
    =3D sz;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2069&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
msg-&gt;ihdr.msg_len =3D=20
    sz;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp; 2070=20
    </FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2071&nbsp;&nbsp;&nbsp;&nbsp; } else {</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2072&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; msg-&gt;sg_cnt =
=3D=20
    0;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2073&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
msg-&gt;ihdr.msg_len =3D=20
    0;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2074&nbsp;&nbsp;&nbsp;&nbsp; }</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp; 2075=20
    </FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2076&nbsp;&nbsp;&nbsp;&nbsp; /* JTOF - we set the type here =
(negative for=20
    RMC) so apps know</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2077&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * if they did the alloc or the =
RMC layer=20
    did. It's not checked</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2078&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * by the free routine because we =
alloc=20
    mallocs - if/when a </FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2079&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * pre-allocated list is added, =
this flag=20
    will be used to </FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2080&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * mark these =
messages</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2081&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; */</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2082&nbsp;&nbsp;&nbsp;&nbsp; msg-&gt;memtyp =3D =
-1;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp;=20
    2083&nbsp;&nbsp;&nbsp;&nbsp; return msg;</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial =
size=3D2>&nbsp;&nbsp; 2084=20
    }</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>Though =
the single call=20
    to calloc() is a little unusual, I don't see a problem with this =
efficient=20
    logic.</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>So, my =
question is:=20
    could dmalloc report false-positives?</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial size=3D2>Also, =
should I break=20
    this calloc call into two calls (one for msg and the other for buf), =
for=20
    sake of clarity?</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial=20
size=3D2>Thanks.</FONT></SPAN></P>
    <P dir=3Dltr><SPAN lang=3Den-us><FONT face=3DArial=20
  size=3D2>-Mike</FONT></SPAN></P></UL></UL></DIV></BODY></HTML>

------_=_NextPart_001_01C80CF7.BFA34616--
