From owner-freebsd-hackers@FreeBSD.ORG  Tue Aug 14 22:52:11 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A04C116A417;
	Tue, 14 Aug 2007 22:52:11 +0000 (UTC) (envelope-from rrs@cisco.com)
Received: from sj-iport-1.cisco.com (sj-iport-1-in.cisco.com [171.71.176.70])
	by mx1.freebsd.org (Postfix) with ESMTP id 78A8213C45D;
	Tue, 14 Aug 2007 22:52:11 +0000 (UTC) (envelope-from rrs@cisco.com)
Received: from sj-dkim-4.cisco.com ([171.71.179.196])
	by sj-iport-1.cisco.com with ESMTP; 14 Aug 2007 15:23:42 -0700
X-IronPort-AV: i="4.19,261,1183359600"; 
	d="scan'208"; a="13464393:sNHT26084082"
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238])
	by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id l7EMNfnr015302; 
	Tue, 14 Aug 2007 15:23:41 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com
	[128.107.191.63])
	by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l7EMNdiX024675;
	Tue, 14 Aug 2007 22:23:40 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by
	xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); 
	Tue, 14 Aug 2007 15:23:30 -0700
Received: from [127.0.0.1] ([171.68.225.134]) by xfe-sjc-211.amer.cisco.com
	with Microsoft SMTPSVC(6.0.3790.1830); 
	Tue, 14 Aug 2007 15:23:30 -0700
Message-ID: <46C22B79.5010306@cisco.com>
Date: Tue, 14 Aug 2007 18:23:53 -0400
From: Randall Stewart <rrs@cisco.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.13) Gecko/20070601
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>
References: <20070814194950.GA19943@redhat.com> <86mywt22te.fsf@ds4.des.no>
In-Reply-To: <86mywt22te.fsf@ds4.des.no>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 14 Aug 2007 22:23:30.0481 (UTC)
	FILETIME=[BE390210:01C7DEC1]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4285; t=1187130221;
	x=1187994221; c=relaxed/simple; s=sjdkim4002;
	h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;
	d=cisco.com; i=rrs@cisco.com;
	z=From:=20Randall=20Stewart=20<rrs@cisco.com>
	|Subject:=20Re=3A=20memset=20bugs. |Sender:=20;
	bh=kbv1LUgQvomGnOGuvWePTCVHr0gOtDw6nISlUzEWaOU=;
	b=VfMSZtamkSI4dkNdsr6is3irYyAXBZZ4YSld074gtGLGV6QdAf5yl3v6f2eAwCtA2ca2+snj
	4dA6GzeeXWxeqERxO9d35267TJmiTbo+L/4qgVuO4wVM7PaafjG9S/zr;
Authentication-Results: sj-dkim-4; header.From=rrs@cisco.com; dkim=pass (sig
	from cisco.com/sjdkim4002 verified; ); 
X-Mailman-Approved-At: Wed, 15 Aug 2007 00:48:06 +0000
Cc: bushman@freebsd.org, Dave Jones <davej@codemonkey.org.uk>, rrs@freebsd.org,
	freebsd-hackers@freebsd.org
Subject: Re: memset bugs.
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2007 22:52:11 -0000


Thanks for the pointer...

Julian and Sam also sent this to me on the SCTP side.

The local CVS repository on lakerest.net now has this fix
in it.. and others... I have added this to the queue to
go in to patchset 15.. (I am still waiting on re for patchset 14).

R

Dag-Erling Smørgrav wrote:
> Dave Jones <davej@codemonkey.org.uk> writes:
> 
>>A grep I crafted to pick up on some common bugs happened upon
>>a copy of the FreeBSD CVS tree that I happened to have handy
>>and found the bugs below where the 2nd & 3rd arguments to
>>memset calls have been swapped.
>>[...]
>>--- src/sys/netinet/sctp_output.c~	2007-08-14 15:44:11.000000000 -0400
>>+++ src/sys/netinet/sctp_output.c	2007-08-14 15:44:27.000000000 -0400
>>@@ -6331,7 +6331,7 @@ out_gu:
>> 		rcv_flags |= SCTP_DATA_UNORDERED;
>> 	}
>> 	/* clear out the chunk before setting up */
>>-	memset(chk, sizeof(*chk), 0);
>>+	memset(chk, 0, sizeof(*chk));
>> 	chk->rec.data.rcv_flags = rcv_flags;
>> 	if (SCTP_BUF_IS_EXTENDED(sp->data)) {
>> 		chk->copy_by_ref = 1;
> 
> 
> Pointy hat to rrs@.
> 
> 
>>--- src/usr.sbin/nscd/agents/services.c~	2007-08-14 15:44:33.000000000 -0400
>>+++ src/usr.sbin/nscd/agents/services.c	2007-08-14 15:44:41.000000000 -0400
>>@@ -171,7 +171,7 @@ services_lookup_func(const char *key, si
>> 		if (size > 0) {
>> 			proto = (char *)malloc(size + 1);
>> 			assert(proto != NULL);
>>-			memset(proto, size + 1, 0);
>>+			memset(proto, 0, size + 1);
>> 			memcpy(proto, key + sizeof(enum nss_lookup_type) +
>> 				sizeof(int), size);
>> 		}
>>--- src/usr.sbin/cached/agents/services.c~	2007-08-14 15:44:45.000000000 -0400
>>+++ src/usr.sbin/cached/agents/services.c	2007-08-14 15:44:52.000000000 -0400
>>@@ -171,7 +171,7 @@ services_lookup_func(const char *key, si
>> 		if (size > 0) {
>> 			proto = (char *)malloc(size + 1);
>> 			assert(proto != NULL);
>>-			memset(proto, size + 1, 0);
>>+			memset(proto, 0, size + 1);
>> 			memcpy(proto, key + sizeof(enum nss_lookup_type) +
>> 				sizeof(int), size);
>> 		}
> 
> 
> These two are actually the same file - cached is in the process of being
> renamed to nscd.  Pointy hat to bushman@.
> 
> 
> 
>>--- src/contrib/gdb/gdb/std-regs.c~	2007-08-14 15:44:56.000000000 -0400
>>+++ src/contrib/gdb/gdb/std-regs.c	2007-08-14 15:45:22.000000000 -0400
>>@@ -61,7 +61,7 @@ value_of_builtin_frame_reg (struct frame
>>   val = allocate_value (builtin_type_frame_reg);
>>   VALUE_LVAL (val) = not_lval;
>>   buf = VALUE_CONTENTS_RAW (val);
>>-  memset (buf, TYPE_LENGTH (VALUE_TYPE (val)), 0);
>>+  memset (buf, 0, TYPE_LENGTH (VALUE_TYPE (val)));
>>   /* frame.base.  */
>>   if (frame != NULL)
>>     ADDRESS_TO_POINTER (builtin_type_void_data_ptr, buf,
>>@@ -87,7 +87,7 @@ value_of_builtin_frame_fp_reg (struct fr
>>       struct value *val = allocate_value (builtin_type_void_data_ptr);
>>       char *buf = VALUE_CONTENTS_RAW (val);
>>       if (frame == NULL)
>>-	memset (buf, TYPE_LENGTH (VALUE_TYPE (val)), 0);
>>+	memset (buf, 0, TYPE_LENGTH (VALUE_TYPE (val)));
>>       else
>> 	ADDRESS_TO_POINTER (builtin_type_void_data_ptr, buf,
>> 			    get_frame_base_address (frame));
>>@@ -105,7 +105,7 @@ value_of_builtin_frame_pc_reg (struct fr
>>       struct value *val = allocate_value (builtin_type_void_data_ptr);
>>       char *buf = VALUE_CONTENTS_RAW (val);
>>       if (frame == NULL)
>>-	memset (buf, TYPE_LENGTH (VALUE_TYPE (val)), 0);
>>+	memset (buf, 0, TYPE_LENGTH (VALUE_TYPE (val)));
>>       else
>> 	ADDRESS_TO_POINTER (builtin_type_void_data_ptr, buf,
>> 			    get_frame_pc (frame));
>>--- src/contrib/gdb/gdb/remote.c~	2007-08-14 15:45:25.000000000 -0400
>>+++ src/contrib/gdb/gdb/remote.c	2007-08-14 15:45:37.000000000 -0400
>>@@ -3463,7 +3463,7 @@ remote_store_registers (int regnum)
>>   {
>>     int i;
>>     regs = alloca (rs->sizeof_g_packet);
>>-    memset (regs, rs->sizeof_g_packet, 0);
>>+    memset (regs, 0, rs->sizeof_g_packet);
>>     for (i = 0; i < NUM_REGS + NUM_PSEUDO_REGS; i++)
>>       {
>> 	struct packet_reg *r = &rs->regs[i];
> 
> 
> These should go upstream to the gdb maintainers (bug-gdb@gnu.org).
> 
> DES


-- 
Randall Stewart
NSSTG - Cisco Systems Inc.
803-345-0369 <or> 803-317-4952 (cell)