Date: Tue, 14 Aug 2007 18:23:53 -0400 From: Randall Stewart <rrs@cisco.com> To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: bushman@freebsd.org, Dave Jones <davej@codemonkey.org.uk>, rrs@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: memset bugs. Message-ID: <46C22B79.5010306@cisco.com> In-Reply-To: <86mywt22te.fsf@ds4.des.no> References: <20070814194950.GA19943@redhat.com> <86mywt22te.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the pointer...
Julian and Sam also sent this to me on the SCTP side.
The local CVS repository on lakerest.net now has this fix
in it.. and others... I have added this to the queue to
go in to patchset 15.. (I am still waiting on re for patchset 14).
R
Dag-Erling Smørgrav wrote:
> Dave Jones <davej@codemonkey.org.uk> writes:
>
>>A grep I crafted to pick up on some common bugs happened upon
>>a copy of the FreeBSD CVS tree that I happened to have handy
>>and found the bugs below where the 2nd & 3rd arguments to
>>memset calls have been swapped.
>>[...]
>>--- src/sys/netinet/sctp_output.c~ 2007-08-14 15:44:11.000000000 -0400
>>+++ src/sys/netinet/sctp_output.c 2007-08-14 15:44:27.000000000 -0400
>>@@ -6331,7 +6331,7 @@ out_gu:
>> rcv_flags |= SCTP_DATA_UNORDERED;
>> }
>> /* clear out the chunk before setting up */
>>- memset(chk, sizeof(*chk), 0);
>>+ memset(chk, 0, sizeof(*chk));
>> chk->rec.data.rcv_flags = rcv_flags;
>> if (SCTP_BUF_IS_EXTENDED(sp->data)) {
>> chk->copy_by_ref = 1;
>
>
> Pointy hat to rrs@.
>
>
>>--- src/usr.sbin/nscd/agents/services.c~ 2007-08-14 15:44:33.000000000 -0400
>>+++ src/usr.sbin/nscd/agents/services.c 2007-08-14 15:44:41.000000000 -0400
>>@@ -171,7 +171,7 @@ services_lookup_func(const char *key, si
>> if (size > 0) {
>> proto = (char *)malloc(size + 1);
>> assert(proto != NULL);
>>- memset(proto, size + 1, 0);
>>+ memset(proto, 0, size + 1);
>> memcpy(proto, key + sizeof(enum nss_lookup_type) +
>> sizeof(int), size);
>> }
>>--- src/usr.sbin/cached/agents/services.c~ 2007-08-14 15:44:45.000000000 -0400
>>+++ src/usr.sbin/cached/agents/services.c 2007-08-14 15:44:52.000000000 -0400
>>@@ -171,7 +171,7 @@ services_lookup_func(const char *key, si
>> if (size > 0) {
>> proto = (char *)malloc(size + 1);
>> assert(proto != NULL);
>>- memset(proto, size + 1, 0);
>>+ memset(proto, 0, size + 1);
>> memcpy(proto, key + sizeof(enum nss_lookup_type) +
>> sizeof(int), size);
>> }
>
>
> These two are actually the same file - cached is in the process of being
> renamed to nscd. Pointy hat to bushman@.
>
>
>
>>--- src/contrib/gdb/gdb/std-regs.c~ 2007-08-14 15:44:56.000000000 -0400
>>+++ src/contrib/gdb/gdb/std-regs.c 2007-08-14 15:45:22.000000000 -0400
>>@@ -61,7 +61,7 @@ value_of_builtin_frame_reg (struct frame
>> val = allocate_value (builtin_type_frame_reg);
>> VALUE_LVAL (val) = not_lval;
>> buf = VALUE_CONTENTS_RAW (val);
>>- memset (buf, TYPE_LENGTH (VALUE_TYPE (val)), 0);
>>+ memset (buf, 0, TYPE_LENGTH (VALUE_TYPE (val)));
>> /* frame.base. */
>> if (frame != NULL)
>> ADDRESS_TO_POINTER (builtin_type_void_data_ptr, buf,
>>@@ -87,7 +87,7 @@ value_of_builtin_frame_fp_reg (struct fr
>> struct value *val = allocate_value (builtin_type_void_data_ptr);
>> char *buf = VALUE_CONTENTS_RAW (val);
>> if (frame == NULL)
>>- memset (buf, TYPE_LENGTH (VALUE_TYPE (val)), 0);
>>+ memset (buf, 0, TYPE_LENGTH (VALUE_TYPE (val)));
>> else
>> ADDRESS_TO_POINTER (builtin_type_void_data_ptr, buf,
>> get_frame_base_address (frame));
>>@@ -105,7 +105,7 @@ value_of_builtin_frame_pc_reg (struct fr
>> struct value *val = allocate_value (builtin_type_void_data_ptr);
>> char *buf = VALUE_CONTENTS_RAW (val);
>> if (frame == NULL)
>>- memset (buf, TYPE_LENGTH (VALUE_TYPE (val)), 0);
>>+ memset (buf, 0, TYPE_LENGTH (VALUE_TYPE (val)));
>> else
>> ADDRESS_TO_POINTER (builtin_type_void_data_ptr, buf,
>> get_frame_pc (frame));
>>--- src/contrib/gdb/gdb/remote.c~ 2007-08-14 15:45:25.000000000 -0400
>>+++ src/contrib/gdb/gdb/remote.c 2007-08-14 15:45:37.000000000 -0400
>>@@ -3463,7 +3463,7 @@ remote_store_registers (int regnum)
>> {
>> int i;
>> regs = alloca (rs->sizeof_g_packet);
>>- memset (regs, rs->sizeof_g_packet, 0);
>>+ memset (regs, 0, rs->sizeof_g_packet);
>> for (i = 0; i < NUM_REGS + NUM_PSEUDO_REGS; i++)
>> {
>> struct packet_reg *r = &rs->regs[i];
>
>
> These should go upstream to the gdb maintainers (bug-gdb@gnu.org).
>
> DES
--
Randall Stewart
NSSTG - Cisco Systems Inc.
803-345-0369 <or> 803-317-4952 (cell)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46C22B79.5010306>