X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C80C7C.0F53BF78@onstor-exch02.onstor.net>; Thu, 11 Oct 2007 19:00:35 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C80C7C.0F53BF78"
Content-class: urn:content-classes:message
Subject: RE: dmalloc question
Date: Thu, 11 Oct 2007 19:00:35 -0800
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E030E38F1@onstor-exch02.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E05EF1454@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: dmalloc question
Thread-Index: AcgLlZ0K4kn0ISoJRzer0mOb2hXVGwAAKZagAAAy9hAAABkZMAA1tGsA
From: "Mike Lee" <mike.lee@onstor.com>
To: "Maxim Kozlovsky" <maxim.kozlovsky@onstor.com>,
	"dl-Cougar" <dl-Cougar@onstor.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C80C7C.0F53BF78
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Max & All:

Hats off to Jeff, who has it figured out...

In the memcpy() call at hand, the size of the copy operation is
incorrectly set to be sizeof(nfx_eventMsg_t), inside
event_forwardToLocalApps().

Instead, we should use the actual message size, as encapsulated in the
len field of the rms_sg_t structure:
    184 /* SSC side scatter gather list */
    185 typedef struct rmc_sg_s {
    186     void    *buf;
    187     size_t  len;
    188 } rmc_sg_t;

Tracing the RMC message to its origin, the scatter get list element
(i.e. memcpy source) is actually allocated in cshare_sendEvent(),
cmd_cshare.c:
    147     nfx_eventMsg_t *event;
    148     cshare_event_t *cshareEvent;
    149     int size;
    150     int baseSize =3D (offsetof(nfx_eventMsg_t, =
param.cshareEvent)
+
    151                     sizeof(*cshareEvent) +
SUM_CIFS_DSHARE_LENGTHS(dshare));
    152=20
    153     switch (changeType) {
    154         case EVENT_CSHARE_ADD:
    155         case EVENT_CSHARE_MODIFY:
    156         case EVENT_CSHARE_DELETE:
    157             size =3D baseSize;
    158             break;
:
    167     }
    168     event =3D malloc(size);
The size value is eventually passed into rmc_send_msg() where it gets
copied into the len field mentioned above.

So, at least for the case where size is less than the
sizeof(nfx_eventMsg_t), we can hit the reading-beyond-allocated-range
problem, as flagged by dmallco().
(There is also the case where the message gets fragmented into mtu parts
to consider).

Unfortunately, there is a disconnect where the the len field is not
readily available to the violating event function. =20
I will probably need to modify function signatures to fix this one.
Also, Jeff and I suspect that we may have similar problems in other RMC
clients, as we tend copy code around.

-Mike

>  -----Original Message-----
> From: 	Maxim Kozlovsky =20
> Sent:	Wednesday, October 10, 2007 4:45 PM
> To:	Mike Lee; dl-Cougar
> Subject:	RE: dmalloc question
>=20
> No it does not.
>=20
> _dmalloc_memcpy (file=3D0x40dc80 "event.c", line=3D591, =
to=3D0x2aae1078,
> from=3D0x2aaeec78, len=3D1248)
>=20
> pointer '0x2aaeec78' is the "from", not "to".
>=20
> _____________________________________________
> From: Mike Lee=20
> Sent: Wednesday, October 10, 2007 4:43 PM
> To: Maxim Kozlovsky; dl-Cougar
> Subject: RE: dmalloc question
>=20
> Max:
> I thought of that possibility, but the log from malloc indicates that
> it was complaining about the destination:
> 1192040788: 3426:   pointer '0x2aaeec78' from 'unknown' prev access
> 'rmc_api.c:2061'
> 1192040788: 3426: ERROR: memcpy: use of pointer would exceed
> allocation (err 28)
> However, I will also review the code pertinent to the memcpy source.
> Thanks!
> -Mike
>=20
> 	 -----Original Message-----
> 	From: 	Maxim Kozlovsky =20
> 	Sent:	Wednesday, October 10, 2007 4:39 PM
> 	To:	Mike Lee; dl-Cougar
> 	Subject:	RE: dmalloc question
>=20
> 	The error must be not on the target of the memcpy but on the
> source.
>=20
> 	In my build, this is reproducible by doing "cifs share create"
>=20
> 	_____________________________________________
> 	From: Mike Lee=20
> 	Sent: Wednesday, October 10, 2007 4:31 PM
> 	To: dl-Cougar
> 	Subject: dmalloc question
>=20
> 	To the software members of the team:
>=20
> 	Concerning the dmalloc error from eventd that Max collected...
>=20
> 	The dmalloc log indicates the following:
> 	1192040788: 3426: process pid =3D 1816
> 	1192040788: 3426:   error details: pointer-check
> 	1192040788: 3426:   pointer '0x2aaeec78' from 'unknown' prev
> access 'rmc_api.c:2061'
> 	1192040788: 3426: ERROR: memcpy: use of pointer would exceed
> allocation (err 28)
>=20
> 	While the stack frames of interest from the corresponding eventd
> core are:
> 	#8  0x2b581134 in _dmalloc_memcpy (file=3D0x40dc80 "event.c",
> line=3D591, to=3D0x2aae1078, from=3D0x2aaeec78, len=3D1248) at =
arg_check.c:251
> 	#9  0x00403be8 in rmc_async_send (sess=3D0x484aa0, buf=3D0x2aaeec78,
> bufsz=3D1248, tag=3D0, rpc_id=3D0, mode=3D8) at event.c:591
> 	#10 0x00404638 in event_forwardToLocalApps (eventMsg=3D0x2aaeec78,
> eventId=3D36) at event.c:719
>=20
> 	Focusing on Frame 9 where the memcpy() call resides:
> 	event.c, rmc_async_send()
> 	    578 rmc_async_send(evt_rmc_session_t *sess, void *buf,
> ssize_t bufsz,
> 	    579                    uint32_t tag, uint32_t rpc_id,
> uint32_t mode)
> 	    580 {
> 	:
> 	    585     msg =3D (rmc_msg_t *)rmc_alloc_msg(bufsz);
> 	    586     if (msg =3D=3D NULL) {
> 	    587         ASSERT(0);
> 	    588         return RMC_NOMEM;
> 	    589     }
> 	    590
> 	    591     memcpy(msg->sg_list[0].buf, buf, bufsz);
>=20
> 	It would appear that perhaps rmc_alloc_msg() is not allocating
> enough.
> 	However, my review of rmc_alloc_msg(), with help from Rendell,
> did not identify any problem.
> 	   2054 API rmc_msg_t *
> 	   2055 rmc_alloc_msg(int32 sz)
> 	   2056 {
> 	   2057     rmc_msg_t *msg;
> 	   2058=20
> 	   2059     if (!(msg =3D (rmc_msg_t *)calloc(sizeof(rmc_msg_t) +
> sz, 1))) {
> 	   2060         //return NULL;
> 	   2061         // May be leaking memory.  Abort and let pm
> restart the daemons.
> 	   2062         abort();
> 	   2063     }
> 	   2064=20
> 	   2065     if (sz) {
> 	   2066         msg->sg_cnt =3D 1;
> 	   2067         msg->sg_list[0].buf =3D ((char *)msg +
> sizeof(rmc_msg_t));  <=3D=3D=3D=3D=3D=3D=3D I think this setting is =
okay, though
> unconventional
> 	   2068         msg->sg_list[0].len =3D sz;
> 	   2069         msg->ihdr.msg_len =3D sz;
> 	   2070=20
> 	   2071     } else {
> 	   2072         msg->sg_cnt =3D 0;
> 	   2073         msg->ihdr.msg_len =3D 0;
> 	   2074     }
> 	   2075=20
> 	   2076     /* JTOF - we set the type here (negative for RMC) so
> apps know
> 	   2077      * if they did the alloc or the RMC layer did. It's
> not checked
> 	   2078      * by the free routine because we alloc mallocs -
> if/when a=20
> 	   2079      * pre-allocated list is added, this flag will be
> used to=20
> 	   2080      * mark these messages
> 	   2081      */
> 	   2082     msg->memtyp =3D -1;
> 	   2083     return msg;
> 	   2084 }
>=20
> 	Though the single call to calloc() is a little unusual, I don't
> see a problem with this efficient logic.
> 	So, my question is: could dmalloc report false-positives?
> 	Also, should I break this calloc call into two calls (one for
> msg and the other for buf), for sake of clarity?
>=20
> 	Thanks.
>=20
> 	-Mike

------_=_NextPart_001_01C80C7C.0F53BF78
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE>RE: dmalloc question</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Max &amp; =
All:</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Hats off to =
Jeff, who has it figured out...</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">In the =
memcpy() call at hand, the size of the copy operation is incorrectly set =
to be sizeof(nfx_eventMsg_t), inside =
event_forwardToLocalApps().</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Instead, we =
should use the actual message size, as encapsulated in the len field of =
the rms_sg_t structure:</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 184 /* SSC side scatter gather list =
*/</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 185 typedef struct rmc_sg_s =
{</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 186&nbsp;&nbsp;&nbsp;&nbsp; =
void&nbsp;&nbsp;&nbsp; *buf;</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 187&nbsp;&nbsp;&nbsp;&nbsp; =
size_t&nbsp; len;</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 188 } rmc_sg_t;</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Tracing the =
RMC message to its origin, the scatter get list element (i.e. memcpy =
source) is actually allocated in cshare_sendEvent(), =
cmd_cshare.c:</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 147&nbsp;&nbsp;&nbsp;&nbsp; =
nfx_eventMsg_t *event;</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 148&nbsp;&nbsp;&nbsp;&nbsp; =
cshare_event_t *cshareEvent;</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 149&nbsp;&nbsp;&nbsp;&nbsp; int =
size;</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 150&nbsp;&nbsp;&nbsp;&nbsp; int =
baseSize =3D (offsetof(nfx_eventMsg_t, param.cshareEvent) +</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; =
151&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sizeof(*cshareEvent) =
+ SUM_CIFS_DSHARE_LENGTHS(dshare));</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 152 </FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 153&nbsp;&nbsp;&nbsp;&nbsp; switch =
(changeType) {</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; =
154&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case =
EVENT_CSHARE_ADD:</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; =
155&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case =
EVENT_CSHARE_MODIFY:</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; =
156&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; case =
EVENT_CSHARE_DELETE:</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; =
157&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; size =3D baseSize;</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; =
158&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; break;</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">:</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 167&nbsp;&nbsp;&nbsp;&nbsp; =
}</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 168&nbsp;&nbsp;&nbsp;&nbsp; event =3D =
malloc(size);</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">The size =
value is eventually passed into rmc_send_msg() where it gets copied into =
the len field mentioned above.</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">So, at =
least for the case where size is less than the sizeof(nfx_eventMsg_t), =
we can hit the reading-beyond-allocated-range problem, as flagged by =
dmallco().</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">(There is =
also the case where the message gets fragmented into mtu parts to =
consider).</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">Unfortunately, there is a disconnect where the the len =
field is not readily available to the violating event function.&nbsp; =
</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">I will =
probably need to modify function signatures to fix this one.</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Also, Jeff =
and I suspect that we may have similar problems in other RMC clients, as =
we tend copy code around.</FONT></P>

<P DIR=3DLTR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">-Mike</FONT></P>
<UL DIR=3DLTR>
<P DIR=3DLTR><FONT FACE=3D"Arial"><SPAN =
LANG=3D"en-us"></SPAN></FONT><SPAN LANG=3D"en-us">&nbsp;<FONT SIZE=3D1 =
FACE=3D"Tahoma">-----Original Message-----</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B><FONT SIZE=3D1 =
FACE=3D"Tahoma">From: &nbsp;</FONT></B> <FONT SIZE=3D1 =
FACE=3D"Tahoma">Maxim Kozlovsky&nbsp; </FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B><FONT SIZE=3D1 =
FACE=3D"Tahoma">Sent:&nbsp;&nbsp;</FONT></B> <FONT SIZE=3D1 =
FACE=3D"Tahoma">Wednesday, October 10, 2007 4:45 PM</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B><FONT SIZE=3D1 =
FACE=3D"Tahoma">To:&nbsp;&nbsp;&nbsp;&nbsp;</FONT></B> <FONT SIZE=3D1 =
FACE=3D"Tahoma">Mike Lee; dl-Cougar</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B><FONT SIZE=3D1 =
FACE=3D"Tahoma">Subject:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT>=
</B> <FONT SIZE=3D1 FACE=3D"Tahoma">RE: dmalloc =
question</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">No it does not.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">_dmalloc_memcpy (file=3D0x40dc80 &quot;event.c&quot;, =
line=3D591, to=3D0x2aae1078, from=3D0x2aaeec78, =
len=3D1248)</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">pointer =
'0x2aaeec78' is the &#8220;from&#8221;, not =
&#8220;to&#8221;.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma">_____________________________________________<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">From:</FONT></B><FONT SIZE=3D2 FACE=3D"Tahoma"> Mike =
Lee<BR>
</FONT><B><FONT SIZE=3D2 FACE=3D"Tahoma">Sent:</FONT></B><FONT SIZE=3D2 =
FACE=3D"Tahoma"> Wednesday, October 10, 2007 4:43 PM<BR>
</FONT><B><FONT SIZE=3D2 FACE=3D"Tahoma">To:</FONT></B><FONT SIZE=3D2 =
FACE=3D"Tahoma"> Maxim Kozlovsky; dl-Cougar<BR>
</FONT><B><FONT SIZE=3D2 FACE=3D"Tahoma">Subject:</FONT></B><FONT =
SIZE=3D2 FACE=3D"Tahoma"> RE: dmalloc question</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">Max:</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">I thought of that possibility, but the log from malloc =
indicates that it was complaining about the =
destination:</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">1192040788: 3426:&nbsp;&nbsp; pointer '0x2aaeec78' from =
'unknown' prev access 'rmc_api.c:2061'</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">1192040788: 3426: ERROR: memcpy: use of pointer would =
exceed allocation (err 28)</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">However, I will also review the code pertinent to the =
memcpy source.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">Thanks!<BR>
-Mike</FONT></SPAN></P>
<UL DIR=3DLTR>
<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT =
FACE=3D"Arial"></FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us">&nbsp;<FONT SIZE=3D1 FACE=3D"Tahoma">-----Original =
Message-----</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B><FONT SIZE=3D1 =
FACE=3D"Tahoma">From: &nbsp;</FONT></B> <FONT SIZE=3D1 =
FACE=3D"Tahoma">Maxim Kozlovsky&nbsp; </FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B><FONT SIZE=3D1 =
FACE=3D"Tahoma">Sent:&nbsp;&nbsp;</FONT></B> <FONT SIZE=3D1 =
FACE=3D"Tahoma">Wednesday, October 10, 2007 4:39 PM</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B><FONT SIZE=3D1 =
FACE=3D"Tahoma">To:&nbsp;&nbsp;&nbsp;&nbsp;</FONT></B> <FONT SIZE=3D1 =
FACE=3D"Tahoma">Mike Lee; dl-Cougar</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><B><FONT SIZE=3D1 =
FACE=3D"Tahoma">Subject:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT>=
</B> <FONT SIZE=3D1 FACE=3D"Tahoma">RE: dmalloc =
question</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">The error must be not on the target of the memcpy but on =
the source.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT COLOR=3D"#000080" SIZE=3D2 =
FACE=3D"Arial">In my build, this is reproducible by doing &#8220;cifs =
share create&#8221;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Tahoma">_____________________________________________<BR>
</FONT></SPAN><SPAN LANG=3D"en-us"><B><FONT SIZE=3D2 =
FACE=3D"Tahoma">From:</FONT></B><FONT SIZE=3D2 FACE=3D"Tahoma"> Mike =
Lee<BR>
</FONT><B><FONT SIZE=3D2 FACE=3D"Tahoma">Sent:</FONT></B><FONT SIZE=3D2 =
FACE=3D"Tahoma"> Wednesday, October 10, 2007 4:31 PM<BR>
</FONT><B><FONT SIZE=3D2 FACE=3D"Tahoma">To:</FONT></B><FONT SIZE=3D2 =
FACE=3D"Tahoma"> dl-Cougar<BR>
</FONT><B><FONT SIZE=3D2 FACE=3D"Tahoma">Subject:</FONT></B><FONT =
SIZE=3D2 FACE=3D"Tahoma"> dmalloc question</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">To the =
software members of the team:</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">Concerning the dmalloc error from eventd that Max =
collected...</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">The =
dmalloc log indicates the following:</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">1192040788: 3426: process pid =3D 1816</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">1192040788: 3426:&nbsp;&nbsp; error details: =
pointer-check</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">1192040788: 3426:&nbsp;&nbsp; pointer '0x2aaeec78' from =
'unknown' prev access 'rmc_api.c:2061'</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">1192040788: 3426: ERROR: memcpy: use of pointer would =
exceed allocation (err 28)</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">While =
the stack frames of interest from the corresponding eventd core =
are:</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">#8&nbsp; =
0x2b581134 in _dmalloc_memcpy (file=3D0x40dc80 &quot;event.c&quot;, =
line=3D591, to=3D0x2aae1078, from=3D0x2aaeec78, len=3D1248) at =
arg_check.c:251</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">#9&nbsp; =
0x00403be8 in rmc_async_send (sess=3D0x484aa0, buf=3D0x2aaeec78, =
bufsz=3D1248, tag=3D0, rpc_id=3D0, mode=3D8) at =
event.c:591</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">#10 =
0x00404638 in event_forwardToLocalApps (eventMsg=3D0x2aaeec78, =
eventId=3D36) at event.c:719</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">Focusing =
on Frame 9 where the memcpy() call resides:</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">event.c, =
rmc_async_send()</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 578 rmc_async_send(evt_rmc_session_t =
*sess, void *buf, ssize_t bufsz,</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; =
579&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; uint32_t tag, uint32_t =
rpc_id, uint32_t mode)</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 580 {</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">:</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 585&nbsp;&nbsp;&nbsp;&nbsp; msg =3D =
(rmc_msg_t *)rmc_alloc_msg(bufsz);</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 586&nbsp;&nbsp;&nbsp;&nbsp; if (msg =
=3D=3D NULL) {</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; =
587&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
ASSERT(0);</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; =
588&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return =
RMC_NOMEM;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 589&nbsp;&nbsp;&nbsp;&nbsp; =
}</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 590</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp;&nbsp; 591&nbsp;&nbsp;&nbsp;&nbsp; =
memcpy(msg-&gt;sg_list[0].buf, buf, bufsz);</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">It would =
appear that perhaps rmc_alloc_msg() is not allocating =
enough.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">However, =
my review of rmc_alloc_msg(), with help from Rendell, did not identify =
any problem.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2054 API rmc_msg_t *</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2055 rmc_alloc_msg(int32 =
sz)</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2056 {</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2057&nbsp;&nbsp;&nbsp;&nbsp; rmc_msg_t =
*msg;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2058 </FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2059&nbsp;&nbsp;&nbsp;&nbsp; if (!(msg =3D =
(rmc_msg_t *)calloc(sizeof(rmc_msg_t) + sz, 1))) {</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; =
2060&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //return =
NULL;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; =
2061&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // May be leaking =
memory.&nbsp; Abort and let pm restart the daemons.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; =
2062&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
abort();</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2063&nbsp;&nbsp;&nbsp;&nbsp; =
}</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2064 </FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2065&nbsp;&nbsp;&nbsp;&nbsp; if (sz) =
{</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; =
2066&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; msg-&gt;sg_cnt =3D =
1;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; =
2067&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
msg-&gt;sg_list[0].buf =3D ((char *)msg + sizeof(rmc_msg_t));&nbsp; =
&lt;=3D=3D=3D=3D=3D=3D=3D I think this setting is okay, though =
unconventional</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; =
2068&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
msg-&gt;sg_list[0].len =3D sz;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; =
2069&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
msg-&gt;ihdr.msg_len =3D sz;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2070 </FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2071&nbsp;&nbsp;&nbsp;&nbsp; } else =
{</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; =
2072&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; msg-&gt;sg_cnt =3D =
0;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; =
2073&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
msg-&gt;ihdr.msg_len =3D 0;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2074&nbsp;&nbsp;&nbsp;&nbsp; =
}</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2075 </FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2076&nbsp;&nbsp;&nbsp;&nbsp; /* JTOF - we =
set the type here (negative for RMC) so apps know</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2077&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * if they =
did the alloc or the RMC layer did. It's not checked</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2078&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * by the =
free routine because we alloc mallocs - if/when a </FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2079&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * =
pre-allocated list is added, this flag will be used to =
</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2080&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * mark =
these messages</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2081&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
*/</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2082&nbsp;&nbsp;&nbsp;&nbsp; msg-&gt;memtyp =
=3D -1;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2083&nbsp;&nbsp;&nbsp;&nbsp; return =
msg;</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">&nbsp;&nbsp; 2084 }</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">Though =
the single call to calloc() is a little unusual, I don't see a problem =
with this efficient logic.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">So, my =
question is: could dmalloc report false-positives?</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">Also, =
should I break this calloc call into two calls (one for msg and the =
other for buf), for sake of clarity?</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">Thanks.</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">-Mike</FONT></SPAN></P>
</UL></UL>
</BODY>
</HTML>
------_=_NextPart_001_01C80C7C.0F53BF78--
