OMNeT++/OMNEST Bug Tracker - OMNeT++
View Issue Details
0000789OMNeT++simulation kernelpublic2014-11-25 18:432014-11-28 09:42
0000789: Bug in -- malloc(): memory corruption (fast)
There is a bug in the ini parser that leads to writing to memory after being freed. The problem is the pointer "Section *currentSection" (in file src/envir/ that points to an element of the vector "std::vector<Section> sections". Upon insertion of a new element into a vector, reallocation may occur and all pointers to elements may be invalidated and need to be updated, see [1]. Thus the pointer "currentSection" needs to be updated every time elements are added to "sections". In most cases this is done correctly. But not if the ini file includes another ini file using the "include" command.

If an ini file includes another ini file, the method "internalReadFile()" will recursively call itself. If the included ini file defines sections, they will be added to "sections", which invalidates pointers. The inner function "internalReadFile()" will update the pointer correctly. But when it terminates, the outer function "internalReadFile()" will continue using the old pointer "currentSection", which has become invalid.

The attached patch provides a simple fix. It will save the name of the current section before doing the recursive call. After the call it will get the valid pointer for that section name.

[1] [^]
This bug can be reproduced by including an ini file in the upper part of the main ini file. There should be plenty of statements after the "include" statement. The included ini should define multiple sections, i.e. entries like [Config FooBar]. In my case it was eight sections.
The bug will let the program crash like this:

*** Error in `../src/Foo': malloc(): memory corruption (fast): 0x00007f516b1660e0 ***
No tags attached.
diff inifile_fix.diff (540) 2014-11-25 18:43
Issue History
2014-11-25 18:43rfpbNew Issue
2014-11-25 18:43rfpbFile Added: inifile_fix.diff
2014-11-27 15:58andrasNote Added: 0000948
2014-11-27 15:58andrasStatusnew => resolved
2014-11-27 15:58andrasResolutionopen => fixed
2014-11-27 15:58andrasAssigned To => andras
2014-11-27 15:58andrasTarget Version => 4.6
2014-11-28 09:42andrasFixed in Version => 4.6
2015-10-12 09:28ammmar1988Issue cloned: 0000880

2014-11-27 15:58   
Thanks for the thorough bug report!

Fixed by changing the code to use currentSectionIndex instead of a pointer.