OpenSAF / Tickets / #3325 log: Invalid read is detected

#3325 log: Invalid read is detected
Milestone: 5.23.03
Status: fixed
Owner: Thien Minh Huynh
Labels: None
Type: defect
Component: log
Part: d
Version:
Priority: major
Blocker: False
Updated: 2022-11-28
Created: 2022-11-25
Creator: Thien Minh Huynh
Private: No
These invalid reads were detected by valgrind.
==262== Invalid read of size 8
==262==    at 0x15ADB3: memcpy (string_fortified.h:34)
==262==    by 0x15ADB3: DestinationHandler::FormCfgDestMsg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, DestinationHandler::CfgDestMsg*) (lgs_dest.cc:202)
==262==    by 0x15BE0D: DestinationHandler::AddDestConfig(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (lgs_dest.cc:224)
==262==    by 0x15CDFC: DestinationHandler::ProcessCfgChange(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:318)
==262==    by 0x15CF28: CfgDestination(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:363)
==262==    by 0x13E27D: apply_config_destinations_change (lgs_imm.cc:2029)
==262==    by 0x13E27D: config_ccb_apply_modify(CcbUtilOperationData const*) [clone .isra.0] (lgs_imm.cc:2171)
==262==    by 0x13E5EB: config_ccb_apply(CcbUtilOperationData const*) (lgs_imm.cc:2212)
==262==    by 0x13E774: ccbApplyCallback(unsigned long long, unsigned long long) (lgs_imm.cc:2651)
==262==    by 0x48F4883: imma_process_callback_info(imma_cb*, imma_client_node*, imma_callback_info*, unsigned long long) (imma_proc.cc:2539)
==262==    by 0x48F6B20: imma_hdl_callbk_dispatch_all(imma_cb*, unsigned long long) (imma_proc.cc:1868)
==262==    by 0x48EADA3: saImmOiDispatch (imma_oi_api.cc:642)
==262==    by 0x11E35E: main (lgs_main.cc:637)
==262==  Address 0x5206657 is 55 bytes inside a block of size 672 free'd
==262==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==262==    by 0x12963E: lgs_process_mbx(unsigned int*) (lgs_evt.cc:1482)
==262==    by 0x11E3A3: main (lgs_main.cc:634)
==262==  Block was alloc'd at
==262==    at 0x483DD99: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==262==    by 0x14B525: mds_dec(ncsmds_callback_info*) (lgs_mds.cc:873)
==262==    by 0x14B858: mds_dec_flat(ncsmds_callback_info*) (lgs_mds.cc:973)
==262==    by 0x4972596: mds_mcm_do_decode_full_or_flat.isra.0 (mds_c_sndrcv.c:5683)
==262==    by 0x49743C7: mds_mcm_process_recv_snd_msg_common (mds_c_sndrcv.c:4956)
==262==    by 0x49746FA: mcm_recv_red_bcast (mds_c_sndrcv.c:5185)
==262==    by 0x49746FA: mds_mcm_ll_data_rcv (mds_c_sndrcv.c:4830)
==262==    by 0x497A1C3: mdtm_process_recv_message_common (mds_dt_common.c:575)
==262==    by 0x497A5B8: mdtm_process_recv_data (mds_dt_common.c:1125)
==262==    by 0x49851C7: mdtm_process_recv_events (mds_dt_tipc.c:1144)
==262==    by 0x4BC1608: start_thread (pthread_create.c:477)
==262==    by 0x4CFB132: clone (clone.S:95)
==262== 
==262== Invalid read of size 8
==262==    at 0x15ADCD: memcpy (string_fortified.h:34)
==262==    by 0x15ADCD: DestinationHandler::FormCfgDestMsg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, DestinationHandler::CfgDestMsg*) (lgs_dest.cc:202)
==262==    by 0x15BE0D: DestinationHandler::AddDestConfig(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (lgs_dest.cc:224)
==262==    by 0x15CDFC: DestinationHandler::ProcessCfgChange(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:318)
==262==    by 0x15CF28: CfgDestination(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:363)
==262==    by 0x13E27D: apply_config_destinations_change (lgs_imm.cc:2029)
==262==    by 0x13E27D: config_ccb_apply_modify(CcbUtilOperationData const*) [clone .isra.0] (lgs_imm.cc:2171)
==262==    by 0x13E5EB: config_ccb_apply(CcbUtilOperationData const*) (lgs_imm.cc:2212)
==262==    by 0x13E774: ccbApplyCallback(unsigned long long, unsigned long long) (lgs_imm.cc:2651)
==262==    by 0x48F4883: imma_process_callback_info(imma_cb*, imma_client_node*, imma_callback_info*, unsigned long long) (imma_proc.cc:2539)
==262==    by 0x48F6B20: imma_hdl_callbk_dispatch_all(imma_cb*, unsigned long long) (imma_proc.cc:1868)
==262==    by 0x48EADA3: saImmOiDispatch (imma_oi_api.cc:642)
==262==    by 0x11E35E: main (lgs_main.cc:637)
==262==  Address 0x520658a is 122 bytes inside a block of size 128 alloc'd
==262==    at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==262==    by 0x126923: allocate (new_allocator.h:114)
==262==    by 0x126923: allocate (alloc_traits.h:443)
==262==    by 0x126923: _M_allocate (stl_vector.h:343)
==262==    by 0x126923: void std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::_M_realloc_insert<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(__gnu_cxx::__normal_iterator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (vector.tcc:440)
==262==    by 0x158FFD: push_back (stl_vector.h:1195)
==262==    by 0x158FFD: logutil::Parser(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (lgs_util.cc:857)
==262==    by 0x15ACDC: DestinationHandler::FormCfgDestMsg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, DestinationHandler::CfgDestMsg*) (lgs_dest.cc:197)
==262==    by 0x15BE0D: DestinationHandler::AddDestConfig(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (lgs_dest.cc:224)
==262==    by 0x15CDFC: DestinationHandler::ProcessCfgChange(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:318)
==262==    by 0x15CF28: CfgDestination(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:363)
==262==    by 0x13E27D: apply_config_destinations_change (lgs_imm.cc:2029)
==262==    by 0x13E27D: config_ccb_apply_modify(CcbUtilOperationData const*) [clone .isra.0] (lgs_imm.cc:2171)
==262==    by 0x13E5EB: config_ccb_apply(CcbUtilOperationData const*) (lgs_imm.cc:2212)
==262==    by 0x13E774: ccbApplyCallback(unsigned long long, unsigned long long) (lgs_imm.cc:2651)
==262==    by 0x48F4883: imma_process_callback_info(imma_cb*, imma_client_node*, imma_callback_info*, unsigned long long) (imma_proc.cc:2539)
==262==    by 0x48F6B20: imma_hdl_callbk_dispatch_all(imma_cb*, unsigned long long) (imma_proc.cc:1868)
==262== 
==262== Invalid read of size 8
==262==    at 0x15ABC2: memcpy (string_fortified.h:34)
==262==    by 0x15ABC2: DestinationHandler::FormDelDestMsg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, DestinationHandler::DelDestMsg*) (lgs_dest.cc:209)
==262==    by 0x15C85B: DestinationHandler::DelDestConfig(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (lgs_dest.cc:247)
==262==    by 0x15CE86: DestinationHandler::ProcessCfgChange(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:322)
==262==    by 0x15CF28: CfgDestination(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:363)
==262==    by 0x13E3C5: apply_config_destinations_change (lgs_imm.cc:2036)
==262==    by 0x13E3C5: config_ccb_apply_modify(CcbUtilOperationData const*) [clone .isra.0] (lgs_imm.cc:2171)
==262==    by 0x13E5EB: config_ccb_apply(CcbUtilOperationData const*) (lgs_imm.cc:2212)
==262==    by 0x13E774: ccbApplyCallback(unsigned long long, unsigned long long) (lgs_imm.cc:2651)
==262==    by 0x48F4883: imma_process_callback_info(imma_cb*, imma_client_node*, imma_callback_info*, unsigned long long) (imma_proc.cc:2539)
==262==    by 0x48F6B20: imma_hdl_callbk_dispatch_all(imma_cb*, unsigned long long) (imma_proc.cc:1868)
==262==    by 0x48EADA3: saImmOiDispatch (imma_oi_api.cc:642)
==262==    by 0x11E35E: main (lgs_main.cc:637)
==262==  Address 0x796c017 is 9 bytes before a block of size 384 free'd
==262==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==262==    by 0x48F47D9: imma_process_callback_info(imma_cb*, imma_client_node*, imma_callback_info*, unsigned long long) (imma_proc.cc:3458)
==262==    by 0x48F6B20: imma_hdl_callbk_dispatch_all(imma_cb*, unsigned long long) (imma_proc.cc:1868)
==262==    by 0x48EADA3: saImmOiDispatch (imma_oi_api.cc:642)
==262==    by 0x11E35E: main (lgs_main.cc:637)
==262==  Block was alloc'd at
==262==    at 0x483DD99: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==262==    by 0x48F33C4: imma_proc_ccb_abort (imma_proc.cc:976)
==262==    by 0x48F33C4: imma_process_evt(imma_cb*, immsv_evt*) (imma_proc.cc:1528)
==262==    by 0x48E5B4C: imma_mds_rcv (imma_mds.cc:374)
==262==    by 0x48E5B4C: imma_mds_callback(ncsmds_callback_info*) (imma_mds.cc:217)
==262==    by 0x49742A7: mds_mcm_process_recv_snd_msg_common (mds_c_sndrcv.c:5082)
==262==    by 0x49746FA: mcm_recv_red_bcast (mds_c_sndrcv.c:5185)
==262==    by 0x49746FA: mds_mcm_ll_data_rcv (mds_c_sndrcv.c:4830)
==262==    by 0x497A1C3: mdtm_process_recv_message_common (mds_dt_common.c:575)
==262==    by 0x497A5B8: mdtm_process_recv_data (mds_dt_common.c:1125)
==262==    by 0x49851C7: mdtm_process_recv_events (mds_dt_tipc.c:1144)
==262==    by 0x4BC1608: start_thread (pthread_create.c:477)
==262==    by 0x4CFB132: clone (clone.S:95)
==262== 
==262== Invalid read of size 8
==262==    at 0x15ABE1: memcpy (string_fortified.h:34)
==262==    by 0x15ABE1: DestinationHandler::FormDelDestMsg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, DestinationHandler::DelDestMsg*) (lgs_dest.cc:209)
==262==    by 0x15C85B: DestinationHandler::DelDestConfig(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (lgs_dest.cc:247)
==262==    by 0x15CE86: DestinationHandler::ProcessCfgChange(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:322)
==262==    by 0x15CF28: CfgDestination(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:363)
==262==    by 0x13E3C5: apply_config_destinations_change (lgs_imm.cc:2036)
==262==    by 0x13E3C5: config_ccb_apply_modify(CcbUtilOperationData const*) [clone .isra.0] (lgs_imm.cc:2171)
==262==    by 0x13E5EB: config_ccb_apply(CcbUtilOperationData const*) (lgs_imm.cc:2212)
==262==    by 0x13E774: ccbApplyCallback(unsigned long long, unsigned long long) (lgs_imm.cc:2651)
==262==    by 0x48F4883: imma_process_callback_info(imma_cb*, imma_client_node*, imma_callback_info*, unsigned long long) (imma_proc.cc:2539)
==262==    by 0x48F6B20: imma_hdl_callbk_dispatch_all(imma_cb*, unsigned long long) (imma_proc.cc:1868)
==262==    by 0x48EADA3: saImmOiDispatch (imma_oi_api.cc:642)
==262==    by 0x11E35E: main (lgs_main.cc:637)
==262==  Address 0x796bf90 is 0 bytes after a block of size 128 alloc'd
==262==    at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==262==    by 0x126923: allocate (new_allocator.h:114)
==262==    by 0x126923: allocate (alloc_traits.h:443)
==262==    by 0x126923: _M_allocate (stl_vector.h:343)
==262==    by 0x126923: void std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::_M_realloc_insert<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(__gnu_cxx::__normal_iterator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (vector.tcc:440)
==262==    by 0x158FFD: push_back (stl_vector.h:1195)
==262==    by 0x158FFD: logutil::Parser(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (lgs_util.cc:857)
==262==    by 0x15AB9C: DestinationHandler::FormDelDestMsg(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, DestinationHandler::DelDestMsg*) (lgs_dest.cc:208)
==262==    by 0x15C85B: DestinationHandler::DelDestConfig(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) (lgs_dest.cc:247)
==262==    by 0x15CE86: DestinationHandler::ProcessCfgChange(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:322)
==262==    by 0x15CF28: CfgDestination(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, ModifyType) (lgs_dest.cc:363)
==262==    by 0x13E3C5: apply_config_destinations_change (lgs_imm.cc:2036)
==262==    by 0x13E3C5: config_ccb_apply_modify(CcbUtilOperationData const*) [clone .isra.0] (lgs_imm.cc:2171)
==262==    by 0x13E5EB: config_ccb_apply(CcbUtilOperationData const*) (lgs_imm.cc:2212)
==262==    by 0x13E774: ccbApplyCallback(unsigned long long, unsigned long long) (lgs_imm.cc:2651)
==262==    by 0x48F4883: imma_process_callback_info(imma_cb*, imma_client_node*, imma_callback_info*, unsigned long long) (imma_proc.cc:2539)
==262==    by 0x48F6B20: imma_hdl_callbk_dispatch_all(imma_cb*, unsigned long long) (imma_proc.cc:1868)
Thien Minh Huynh - 2022-11-28

status: accepted --> fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thien Minh Huynh - 2022-11-28

commit 2021d0c035d2989267ee8d0d8d826ddf53fc3201 (HEAD -> develop, origin/develop, ticket-3325)
Author: thien.m.huynh thien.m.huynh@dektech.com.au
Date: Fri Nov 25 13:12:42 2022 +0700

log: fix invalid read [#3325] memcpy copies invalid memory that has not yet been initialized. So this fix is the correct size when using memcpy.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
log: Invalid read is detected

Milestone

Searches

Help

#3325 log: Invalid read is detected

Related

Discussion
