Valgrind的给错误，但一切似乎罚款

Question

这一个看起来像我以前的帖子的副本，但它不是.....

这里Valgrind的给予以下错误：

udit@udit-Dabba ~/mec $ valgrind --leak-check=full 
sendip -v -p ipv6 -f file.txt -6s ::1 -p esp -es 0x20 -eq 0x40 
-ei z30 -eI z100 -p tcp -ts 21 -td 21 ::2 

==4331== Memcheck, a memory error detector 
==4331== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al. 
==4331== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info 
==4331== Command: sendip -v -p ipv6 -f file.txt -6s ::1 -p esp -es 0x20 
-eq 0x40 -ei z30 -eI z100 -p tcp -ts 21 -td 21 ::2 
==4331== 
esp 
Added 43 options 
Initializing module ipv6 
Initializing module esp 
Initializing module tcp 
==4331== Invalid write of size 4 
==4331== at 0x4027EB8: memcpy (mc_replace_strmem.c:635) 
==4331== by 0x4032269: do_opt (esp.c:113) 
==4331== by 0x804A51D: main (sendip.c:575) 
==4331== Address 0x41ceab0 is 144 bytes inside a block of size 146 alloc'd 
==4331== at 0x402699A: realloc (vg_replace_malloc.c:525) 
==4331== by 0x4032231: do_opt (esp.c:111) 
==4331== by 0x804A51D: main (sendip.c:575) 
==4331== 

valgrind: m_mallocfree.c:225 (mk_plain_bszB): Assertion 'bszB != 0' failed. 
valgrind: This is probably caused by your program erroneously writing past the 
end of a heap block and corrupting heap metadata. If you fix any 
invalid writes reported by Memcheck, this assertion failure will 
probably go away. Please try that before reporting this as a bug. 

==4331== at 0x380282BD: report_and_quit (m_libcassert.c:193) 
==4331== by 0x38028415: vgPlain_assert_fail (m_libcassert.c:267) 
==4331== by 0x380351E7: vgPlain_arena_malloc (m_mallocfree.c:225) 
==4331== by 0x380662C7: vgPlain_cli_malloc (replacemalloc_core.c:83) 
==4331== by 0x38001FA8: vgMemCheck_new_block (mc_malloc_wrappers.c:201) 
==4331== by 0x38002196: vgMemCheck_malloc (mc_malloc_wrappers.c:238) 
==4331== by 0x38068BF8: vgPlain_scheduler (scheduler.c:1394) 
==4331== by 0x3807A354: run_a_thread_NORETURN (syswrap-linux.c:94) 

sched status: 
running_tid=1 

Thread 1: status = VgTs_Runnable 
==4331== at 0x40268A4: malloc (vg_replace_malloc.c:236) 
==4331== by 0x4152415: gethostbyname2 (getXXbyYY.c:103) 
==4331== by 0x402CC68: set_addr (ipv6.c:33) 
==4331== by 0x804A642: main (sendip.c:594) 


Note: see also the FAQ in the source distribution. 
It contains workarounds to several common problems. 
In particular, if Valgrind aborted or crashed after 
identifying problems in your program, there's a good chance 
that fixing those problems will prevent Valgrind aborting or 
crashing, especially if it happened in m_mallocfree.c. 

If that doesn't help, please report this bug to: www.valgrind.org 

In the bug report, send all the above text, the valgrind 
version, and what OS and version you are using. Thanks. 

ESP。 ç（号线113）

case 'eI':  /* ICV data (variable length) */ 
        /* For right now, we will do either random generation 
        * or a user-provided string. We put it in the header, 
        * then move it into the trailer in finalize. 
        */ 
      length = stringargument(arg, &temp); 
      priv->icvlen = length; 
      pack->alloc_len += length; 
      pack->data = realloc(esp, pack->alloc_len); 
      esp = (esp_header *)pack->data;                    
     113:  
      memcpy(&esp->tail.ivicv[priv->ivlen],temp, priv->icvlen); 
      pack->modified |= ESP_MOD_ICV; 

这些是我想在调试可能有助于相应的头文件......

ip6.h

/* 
* authentication header 
*/ 
struct ip_auth_hdr { 
    u_int8_t nexthdr; 
    u_int8_t hdrlen;  /* This one is measured in 32 bit units! */ 
    u_int16_t reserved; 
    u_int32_t spi; 
    u_int32_t seq_no;  /* Sequence number */ 
    u_int8_t auth_data[0]; /* Variable len but >=4. Mind the 
           64 bit alignment! */ 
#define icv  auth_data  /* rfc 4302 name */ 
    /* TBD - high-order sequence number */ 

}; 

/* 
* encapsulated security payload header 
*/ 
struct ip_esp_hdr { 
    u_int32_t spi; 
    u_int32_t seq_no;  /* Sequence number */ 
    u_int8_t enc_data[0]; /* Variable len but >=8. Mind the 
          64 bit alignment! */ 
    }; 

esp.h

struct ip_esp_tail { 
    u_int8_t padlen;  /* padding is pushed before tail */ 
    u_int8_t nexthdr; 
    u_int32_t ivicv[0];  /* both IV and ICV, if any */ 
}; 

struct ip_esp_headtail { 
    struct ip_esp_hdr hdr; 
    struct ip_esp_tail tail; 
    }; 

    typedef struct ip_esp_headtail esp_header; 

    #define ESP_MIN_PADDING 4 

    typedef struct ip_esp_private { /* keep track of things privately */ 
    u_int32_t type;   /* type = IPPROTO_ESP */ 
    u_int32_t ivlen;  /* length of IV portion */ 
    u_int32_t icvlen;  /* length of ICV portion */ 
    u_int32_t keylen;  /* length of "key" (not transmitted data) */ 
    u_int32_t key[0];  /* key itself */ 
    } esp_private; 

    struct ip_auth_hdr { 
    u_int8_t nexthdr; 
    u_int8_t hdrlen;  /* This one is measured in 32 bit units! */ 
    u_int16_t reserved; 
    u_int32_t spi; 
    u_int32_t seq_no;  /* Sequence number */ 
    u_int8_t auth_data[0]; /* Variable len but >=4. Mind the 
           64 bit alignment! */ 
    #define icv  auth_data  /* rfc 4302 name */ 
    /* TBD - high-order sequence number */ 

    }; 

/* 
    * encapsulated security payload header 
    */ 
    struct ip_esp_hdr { 
    u_int32_t spi; 
    u_int32_t seq_no;  /* Sequence number */ 
    u_int8_t enc_data[0]; /* Variable len but >=8. Mind the 
          64 bit alignment! */ 
    }; 

如果有人获得任何线索，其中泄漏怎么回事???以及如何修补它？

Answer 1

正如克里斯说的valgrind告诉你，你的程序试图写入内存是分配的区域之外：

Invalid write of size 4 
    at 0x4027EB8: memcpy (mc_replace_strmem.c:635) 
    by 0x4032269: do_opt (esp.c:113) 
    by 0x804A51D: main (sendip.c:575) 
Address 0x41ceab0 is 144 bytes inside a block of size 146 alloc'd 
    at 0x402699A: realloc (vg_replace_malloc.c:525) 
    by 0x4032231: do_opt (esp.c:111) 
    by 0x804A51D: main (sendip.c:575) 

它会告诉你，在do_opt（在管线111文件esp.c ）你已经调用了realloc来分配146个字节的内存，现在函数memcpy试图从该内存块的开始144字节开始执行4字节的写操作，这将导致写入分配区域之外（144 + 4> 146）。它还告诉你memcpy是从do_opt函数中调用的。

因此，无论是分配给小内存还是在复制到内存时使用错误的偏移量。所以下一步就是检查valgrind报告的位置代码。

但是如果在查看代码时问题不明显该怎么办？

一个选项是使用valgrind的--db-attach option，它允许你输入gdb。这将允许你环顾四周，并检查诸如weather pack-> alloc_len是你期望的值，并且如果指向宫殿，你期望它与pack-> data相比较。 （这也可以通过添加printf打印这些值的经典方式来完成）。

下面是我的猜测的是什么问题，但如果你想尝试自己先弄清楚隐藏：

Maybe you are forgetting that ivicv is an uint32, and you have priv->ivlen measured in bytes. In that case changing it to &esp->tail.ivicv[priv->ivlen/sizeof(u_int32_t)] would help

Answer 2

==4331== Invalid write of size 4 
==4331== at 0x4027EB8: memcpy (mc_replace_strmem.c:635) 
==4331== by 0x4032269: do_opt (esp.c:113) 
==4331== by 0x804A51D: main (sendip.c:575) 
==4331== Address 0x41ceab0 is 144 bytes inside a block of size 146 alloc'd 
==4331== at 0x402699A: realloc (vg_replace_malloc.c:525) 
==4331== by 0x4032231: do_opt (esp.c:111) 
==4331== by 0x804A51D: main (sendip.c:575) 
==4331== 

这是告诉你，在线路113的memcpy调用试图写入4个字节，但是你给的地址是144个字节到146个字节的块，所以它的流失结束。