Re: [Valgrind-users] valgrind && sprintf arguments

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

El día Monday, July 28, 2014 a las 07:11:02AM -0700, John Reiser escribió:

> > ==17454== Conditional jump or move depends on uninitialised value(s)
> > ==17454==    at 0x5921F10: strchrnul (in /lib/libc-2.11.3.so)
> > ==17454==    by 0x58E55D6: vfprintf (in /lib/libc-2.11.3.so)
> 
> > the involved fuctions are shown below; the statement in question (see below)
> > is
> > 
> >   sprintf (select_anw, sel_anw, name, name);      <********* sisisinst.c:1397
> > 
> > I have checked carefully the code and the 4 args to sprintf() are
> > all correct defined on the stack; when I change the code to:
> > 
> > 
> >   select_anw[0] = '\0';
> >   sprintf (select_anw, sel_anw, name, name); 
> > 	
> > then is valgrind happy, i.e, does not raise the messages any more;
> 
> You say that all 4 args are on the stack.  What are their actual addresses?
> Run with --db-attach=yes, say 'y' when asked, and use gdb to look around.
> 
> One possibility is that sel_anw (the format string) has been overwritten
> because the string being built into select_anw (the buffer) has overflowed.
> 
> Try changing the code to use
> 	snprintf(select_anw, LEN_SELECT, sel_anw, name, name);
> which is much safer.

Thanks for your hints. Before I will change the code (yes, your proposal is
much safer), I will try to understand why valgrind is complaining;

I grabbed the gdb and debugged through the code:

(gdb) where
#0  DB_rdir (tabmodul=0xf6a68170 <sisisinst>, key=2, scroll=1, lock=0, p_daten=0xffffc860) at dbcall.c:1834
#1  0xf6a4cc21 in DB_ChkVer () at dbcall.c:604
#2  0xf6a4d099 in DB_opdbP (mode=1) at dbcall.c:955
#3  0xf6a4cd3a in DB_opdb () at dbcall.c:654
#4  0x0804bf6a in InitVDaemon () at ZFLVDaemon.c:715
#5  0x0804baad in main (argc=1, argv=0xffffce14) at ZFLVDaemon.c:413
(gdb) p &sel_anw
$3 = (char (*)[1000]) 0xffffc3c0

sel_anw is an automatic char[1000] area and will now be initialized from
some static string 'SELECT1':

1885        strcpy(sel_anw, SELECT1);
(gdb) 
1887      strcpy(where_anw, WHERE1);
(gdb) 

'sel_anw' and 'where_anw' both are set correctly:

(gdb) p sel_anw
$4 = "SELECT rowid, %s.* from %s", '\000' <repeats 46 times> ...
(gdb) p where_anw
$5 = "%s = :v1", '\000' <repeats 24 times> ...

(gdb) p &sel_anw
$6 = (char (*)[1000]) 0xffffc3c0

(gdb) p &where_anw
$7 = (char (*)[5000]) 0xffffb030

the pointers are passed correctly to sisisinst() function:

(gdb) s
sisisinst (zugriff=1, scroll=1, lock=0, key=2, sto=-20000, p_daten=0xffffc860, 
    sel_anw=0xffffc3c0 "SELECT rowid, %s.* from %s", where_anw=0xffffb030 "%s = :v1", p_btw_daten=0x0, 
    order_by=0x0, auf_ab=0x0, group_by=0x0, having=0x0, into_temp=0x0, count=0xffffb02c) at sisisinst.c:799

933         case  RDIR  :   db_ret = select_record(scroll, lock, key,
(gdb) s

and passed further to select_record() function:

Breakpoint 2, select_record (scroll=1, lock=0, key=2, sel_anw=0xffffc3c0 "SELECT rowid, %s.* from %s", 
    where_anw=0xffffb030 "%s = :v1", p_daten=0xf6ae04a0 <hrec_sisisinst>, i_between=0, p_oben=0xffffaf30, 
    order_by=0x0, auf_ab=0x0, group_by=0x0, having=0x0, into_temp=0x0, count=0xffffb02c) at sisisinst.c:1353

(gdb) p sel_anw
$8 = 0xffffc3c0 "SELECT rowid, %s.* from %s"
(gdb) p where_anw
$9 = 0xffffb030 "%s = :v1"

(gdb) 
1396      char *name = TAB_SISISINST;
(gdb) 

this is now the call to sprintf() which was identified by valgrind:

1397      sprintf (select_anw, sel_anw, name, name);
(gdb) p name
$10 = 0xf6ac8f3e "sisisinst"
(gdb) p sel_anw
$11 = 0xffffc3c0 "SELECT rowid, %s.* from %s"
(gdb) p &select_anw
$12 = (char (*)[5000]) 0xffff9ac0

now executing the sprintf() ...

(gdb) n
1401      switch (key)

the result is fine and the target buffer of sprintf(), the 'select_anw'
is corretcly filled:

(gdb) p select_anw
$13 = "SELECT rowid, sisisinst.* from sisisinst", '\000' <repeats 536 times>, "ALTER SESSION SET NLS_LANGUAGE= 'GERMAN' NLS_TERRITORY= 'GERMANY' NLS_CURRENCY= '??' NLS_ISO_CURRENCY= 'GERMANY' NLS_NUMERIC_CHARACTERS= ',.' NLS_CALEN"...
(gdb) p &select_anw
$14 = (char (*)[5000]) 0xffff9ac0

All was fine. Why is valgrind complaining?

Thanks

	matthias

-- 
Matthias Apitz               |  /"\   ASCII Ribbon Campaign:
E-mail: gu...@un...     |  \ /   - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ |   X    - No proprietary attachments
phone: +49-170-4527211       |  / \   - Respect for open standards
                             | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign