OMNeT++/OMNEST Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000789OMNeT++simulation kernelpublic2014-11-25 18:432014-11-28 09:42
Assigned Toandras 
Platformx86_64OSGNU/LinuxOS Version?
Product Version4.5 
Target Version4.6Fixed in Version4.6 
Summary0000789: Bug in -- malloc(): memory corruption (fast)
DescriptionThere is a bug in the ini parser that leads to writing to memory after being freed. The problem is the pointer "Section *currentSection" (in file src/envir/ that points to an element of the vector "std::vector<Section> sections". Upon insertion of a new element into a vector, reallocation may occur and all pointers to elements may be invalidated and need to be updated, see [1]. Thus the pointer "currentSection" needs to be updated every time elements are added to "sections". In most cases this is done correctly. But not if the ini file includes another ini file using the "include" command.

If an ini file includes another ini file, the method "internalReadFile()" will recursively call itself. If the included ini file defines sections, they will be added to "sections", which invalidates pointers. The inner function "internalReadFile()" will update the pointer correctly. But when it terminates, the outer function "internalReadFile()" will continue using the old pointer "currentSection", which has become invalid.

The attached patch provides a simple fix. It will save the name of the current section before doing the recursive call. After the call it will get the valid pointer for that section name.

[1] [^]
Steps To ReproduceThis bug can be reproduced by including an ini file in the upper part of the main ini file. There should be plenty of statements after the "include" statement. The included ini should define multiple sections, i.e. entries like [Config FooBar]. In my case it was eight sections.
Additional InformationThe bug will let the program crash like this:

*** Error in `../src/Foo': malloc(): memory corruption (fast): 0x00007f516b1660e0 ***
TagsNo tags attached.
Attached Filesdiff file icon inifile_fix.diff [^] (540 bytes) 2014-11-25 18:43 [Show Content]

- Relationships

-  Notes
andras (administrator)
2014-11-27 15:58

Thanks for the thorough bug report!

Fixed by changing the code to use currentSectionIndex instead of a pointer.

- Issue History
Date Modified Username Field Change
2014-11-25 18:43 rfpb New Issue
2014-11-25 18:43 rfpb File Added: inifile_fix.diff
2014-11-27 15:58 andras Note Added: 0000948
2014-11-27 15:58 andras Status new => resolved
2014-11-27 15:58 andras Resolution open => fixed
2014-11-27 15:58 andras Assigned To => andras
2014-11-27 15:58 andras Target Version => 4.6
2014-11-28 09:42 andras Fixed in Version => 4.6
2015-10-12 09:28 ammmar1988 Issue cloned: 0000880

Copyright © 2000 - 2022 MantisBT Team
Powered by Mantis Bugtracker