Closed calvin2021y closed 5 days ago
D: 24-08-08 15:56:39 zloop: call PAIR socket handler
OK
* zmsg: OK
* zpoller: OK
* zsock:
=================================================================
==48564==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ff7bfefe3f0 at pc 0x00010030f578 bp 0x7ff7bfefdb90 sp 0x7ff7bfefdb88
READ of size 4 at 0x7ff7bfefe3f0 thread T0
#0 0x10030f577 in zmq::socket_base_t::check_tag() const+0x57 (tests_net_zmq.exe:x86_64+0x10030f577)
#1 0x100350987 in as_socket_base_t(void*)+0x27 (tests_net_zmq.exe:x86_64+0x100350987)
#2 0x100350aaf in zmq_getsockopt+0x1f (tests_net_zmq.exe:x86_64+0x100350aaf)
#3 0x100145b9a in zsock_resolve+0x21a (tests_net_zmq.exe:x86_64+0x100145b9a)
#4 0x10017b903 in zsock_test+0x1003 (tests_net_zmq.exe:x86_64+0x10017b903)
#5 0x10006fa45 in main+0xb5 (tests_net_zmq.exe:x86_64+0x10006fa45)
#6 0x7ff8117e141e in start+0x76e (dyld:x86_64+0xfffffffffff6e41e)
Address 0x7ff7bfefe3f0 is located in stack of thread T0 at offset 1584 in frame
#0 0x10017a90f in zsock_test+0xf (tests_net_zmq.exe:x86_64+0x10017a90f)
This frame has 55 object(s):
[32, 40) 'writer' (line 1898)
[64, 104) 'endpoint' (line 1919)
[144, 152) 'reader' (line 1924)
[176, 184) 'msg' (line 1933)
[208, 216) 'string' (line 1935)
[240, 248) 'resolve' (line 1954)
[272, 276) 'fd' (line 1960)
[288, 296) 'dealer' (line 1983)
[320, 321) 'number1' (line 2012)
[336, 338) 'number2' (line 2013)
[352, 356) 'number4' (line 2014)
[368, 372) 'number4_MAX' (line 2016)
[384, 392) 'number8' (line 2017)
[416, 424) 'number8_MAX' (line 2020)
[448, 456) 'chunk' (line 2022)
[480, 488) 'frame' (line 2024)
[512, 520) 'hash' (line 2026)
[544, 552) 'uuid' (line 2032)
[576, 580) 'integer' (line 2069)
[592, 600) 'data' (line 2070)
[624, 632) 'size' (line 2071)
[656, 664) 'pointer' (line 2072)
[688, 696) 'longstr' (line 2187)
[720, 728) 'streamrecv' (line 2206)
[752, 760) 'streamsender' (line 2211)
[784, 792) 'connectmsg' (line 2216)
[816, 824) 'id' (line 2217)
[848, 856) 'empty' (line 2221)
[880, 888) 'connectmsg2' (line 2228)
[912, 920) 'id2' (line 2229)
[944, 952) 'empty2' (line 2233)
[976, 1232) 'rid' (line 2241)
[1296, 1304) 'rid_size' (line 2242)
[1328, 1336) 'request' (line 2245)
[1360, 1368) 'recvreq' (line 2255)
[1392, 1400) 'ridframe' (line 2257)
[1424, 1432) 'httpreq' (line 2260)
[1456, 1515) 'http_response' (line 2266)
[1552, 1560) 'httpmsg' (line 2279)
[1584, 1592) 'httpid' (line 2281) <== Memory access at offset 1584 is inside this variable
[1616, 1624) 'httpresp' (line 2283)
[1648, 1656) 'disconnectmsg' (line 2291)
[1680, 1688) 'id3' (line 2292)
[1712, 1720) 'empty3' (line 2295)
[1744, 1752) 'server' (line 2310)
[1776, 1784) 'client' (line 2314)
[1808, 1816) 'gather' (line 2390)
[1840, 1848) 'scatter' (line 2392)
[1872, 1880) 'message' (line 2398)
[1904, 1912) 'gossip' (line 2442)
[1936, 1944) 'dgramr' (line 2452)
[1968, 1976) 'dgrams' (line 2456)
[2000, 2008) 'dmessage' (line 2467)
[2032, 2040) 'addr' (line 2467)
[2064, 2072) 'dmsg' (line 2469)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope (tests_net_zmq.exe:x86_64+0x10030f577) in zmq::socket_base_t::check_tag() const+0x57
Shadow bytes around the buggy address:
0x7ff7bfefe100: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2
0x7ff7bfefe180: f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x7ff7bfefe200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x7ff7bfefe280: f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2
0x7ff7bfefe300: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f8
=>0x7ff7bfefe380: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2[f8]f2
0x7ff7bfefe400: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2
0x7ff7bfefe480: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2
0x7ff7bfefe500: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2
0x7ff7bfefe580: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3
0x7ff7bfefe600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==48564==ABORTING
this patch fix it:
diff --git a/src/zchunk.c b/src/zchunk.c
index e53fb258..7ac01310 100644
--- a/src/zchunk.c
+++ b/src/zchunk.c
@@ -62,6 +62,10 @@ zchunk_new (const void *data, size_t size)
if (data) {
self->size = size;
memcpy (self->data, data, self->size);
+ } else {
+ if( size > 0 ) {
+ self->data[0] = 0;
+ }
}
}
return self;
@@ -181,6 +185,9 @@ zchunk_data (zchunk_t *self)
{
assert (self);
assert (zchunk_is (self));
+ if( self->size < 1 ) {
+ return NULL;
+ }
return self->data;
}
Can you create a PR?
test commit it: https://github.com/zeromq/czmq/commit/349564db20502ad787e66ff4db62be7c20e56360
test with zmq v4.3.5, and https://github.com/zeromq/libzmq/commit/b95d94935ed107679fd0ad9efd2f3d47309b6fd3