Hi
There have a type mixing in finc "createUriTableEntry" for local "pfxEntryId". It is used as argument in "addPfxEntry" where type "SmallIndex" is ok but after that is forwarded to "addEmptyDynEntry" where "SmallIndex" is mixed with "Index" type. As a result local stack is corrupted.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Can you explain a bit more? Function addPfxEntry() takes a pointer to SmallIndex not a SmallIndex value. Function addEmptyDynEntry() takes Index pointer so passing SmallIndex pointer should be fine.
In addEmptyDynEntry() the value pointed by pfxEntryId (SmallIndex) is assigned some Index value - worst case you can get is integer overflow but not stack corruption. This should not happen also as
the number of prefixes is usuallty super small. Am I missing something?
Best regards,
Rumen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi
The problem is that in addEmptyDynEntry() pointer pfxEntryId(SmallIndex) is forwarded to Index pointer in function addEmptyDynEntry(). So not value pointed by pfxEntryId is used for addEmptyDynEntry() argument, actually pointer pfxEntryId is used. Stack corruption after that is clear because of pointer type mixing u16 instead of u32.
Regards
Nikola Georgiev
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi
Little bit more clarification. Actually in function addEmptyDynEntry(...Index * entryID) pfxEntryId is already recognized as Index type pointer because of argument list.
So value wrongly pointed as Index (actually is SmallIndex) is assigned to something.
Best regards
Nikola
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the clarifications! Your last comment opened my eyes :)
What is happening at the end is that sizeof(Index) number of bytes (e.g. 4), are written over sizeof(SmallIndex) number of bytes (e.g. 2) so in this case 2 bytes from the stack are corrupted.
Very nasty bug I would say. There were not that many times I used different types for Index and SmallIndex so therefore I have not hit the issue before.
Here is a link to the bug report: https://sourceforge.net/p/exip/bugs/19/
Thanks & best regards,
Rumen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
View and moderate all "Open Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Discussion"
Hi
There have a type mixing in finc "createUriTableEntry" for local "pfxEntryId". It is used as argument in "addPfxEntry" where type "SmallIndex" is ok but after that is forwarded to "addEmptyDynEntry" where "SmallIndex" is mixed with "Index" type. As a result local stack is corrupted.
Hi,
Can you explain a bit more? Function addPfxEntry() takes a pointer to SmallIndex not a SmallIndex value. Function addEmptyDynEntry() takes Index pointer so passing SmallIndex pointer should be fine.
In addEmptyDynEntry() the value pointed by pfxEntryId (SmallIndex) is assigned some Index value - worst case you can get is integer overflow but not stack corruption. This should not happen also as
the number of prefixes is usuallty super small. Am I missing something?
Best regards,
Rumen
View and moderate all "Open Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Discussion"
Hi
The problem is that in addEmptyDynEntry() pointer pfxEntryId(SmallIndex) is forwarded to Index pointer in function addEmptyDynEntry(). So not value pointed by pfxEntryId is used for addEmptyDynEntry() argument, actually pointer pfxEntryId is used. Stack corruption after that is clear because of pointer type mixing u16 instead of u32.
Regards
Nikola Georgiev
View and moderate all "Open Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Discussion"
Hi
Little bit more clarification. Actually in function addEmptyDynEntry(...Index * entryID) pfxEntryId is already recognized as Index type pointer because of argument list.
So value wrongly pointed as Index (actually is SmallIndex) is assigned to something.
Best regards
Nikola
Hi Nikola,
Thanks for the clarifications! Your last comment opened my eyes :)
What is happening at the end is that sizeof(Index) number of bytes (e.g. 4), are written over sizeof(SmallIndex) number of bytes (e.g. 2) so in this case 2 bytes from the stack are corrupted.
Very nasty bug I would say. There were not that many times I used different types for Index and SmallIndex so therefore I have not hit the issue before.
Here is a link to the bug report:
https://sourceforge.net/p/exip/bugs/19/
Thanks & best regards,
Rumen