changeset 1378:7209a6e30932 fuzz

linked list dbmalloc now add non-free m_malloc_free_epoch() argument for leak detection
author Matt Johnston <matt@ucc.asn.au>
date Fri, 26 May 2017 00:19:39 +0800
parents d4cc85e6c569
children 616417b27f55
files dbmalloc.c dbmalloc.h fuzzer-preauth.c fuzzer-pubkey.c
diffstat 4 files changed, 46 insertions(+), 30 deletions(-) [+]
line wrap: on
line diff
--- a/dbmalloc.c	Thu May 25 22:21:49 2017 +0800
+++ b/dbmalloc.c	Fri May 26 00:19:39 2017 +0800
@@ -1,14 +1,17 @@
 #include "dbmalloc.h"
 #include "dbutil.h"
 
-#define LIST_SIZE 1000
-
 struct dbmalloc_header {
-    unsigned int index;
     unsigned int epoch;
+    struct dbmalloc_header *prev;
+    struct dbmalloc_header *next;
 };
 
-static struct dbmalloc_header* dbmalloc_list[LIST_SIZE];
+static void put_alloc(struct dbmalloc_header *header);
+static void remove_alloc(struct dbmalloc_header *header);
+
+/* end of the linked list */
+static struct dbmalloc_header* staple;
 
 unsigned int current_epoch = 0;
 
@@ -16,39 +19,50 @@
     current_epoch = epoch;
 }
 
-void m_malloc_free_epoch(unsigned int epoch) {
-    unsigned int i;
-    unsigned int freed = 0;
-    for (i = 0; i < LIST_SIZE; i++) {
-        if (dbmalloc_list[i] != NULL) {
-            assert(dbmalloc_list[i]->index == i);
-            if (dbmalloc_list[i]->epoch == epoch) {
-                free(dbmalloc_list[i]);
-                dbmalloc_list[i] = NULL;
-                freed++;
+void m_malloc_free_epoch(unsigned int epoch, int dofree) {
+    struct dbmalloc_header* header;
+    struct dbmalloc_header* nextheader = NULL;
+    struct dbmalloc_header* oldstaple = staple;
+    staple = NULL;
+    /* free allocations from this epoch, create a new staple-anchored list from
+    the remainder */
+    for (header = oldstaple; header; header = nextheader)
+    {
+        nextheader = header->next;
+        if (header->epoch == epoch) {
+            if (dofree) {
+                free(header);
             }
+        } else {
+            header->prev = NULL;
+            header->next = NULL;
+            put_alloc(header);
         }
     }
-    TRACE(("free_epoch freed %d", freed))
 }
 
 static void put_alloc(struct dbmalloc_header *header) {
-    unsigned int i;
-    for (i = 0; i < LIST_SIZE; i++) {
-        if (dbmalloc_list[i] == NULL) {
-            dbmalloc_list[i] = header;
-            header->index = i;
-            return;
-        }
+    assert(header->next == NULL);
+    assert(header->prev == NULL);
+    if (staple) {
+        staple->prev = header;
     }
-    dropbear_exit("ran out of dbmalloc entries");
+    header->next = staple;
+    staple = header;
 }
 
 static void remove_alloc(struct dbmalloc_header *header) {
-    assert(header->index < LIST_SIZE);
-    assert(dbmalloc_list[header->index] == header);
-    assert(header->epoch == current_epoch);
-    dbmalloc_list[header->index] = NULL;
+    if (header->prev) {
+        header->prev->next = header->next;
+    }
+    if (header->next) {
+        header->next->prev = header->prev;
+    }
+    if (staple == header) {
+        staple = header->next;
+    }
+    header->prev = NULL;
+    header->next = NULL;
 }
 
 static struct dbmalloc_header* get_header(void* ptr) {
--- a/dbmalloc.h	Thu May 25 22:21:49 2017 +0800
+++ b/dbmalloc.h	Fri May 26 00:19:39 2017 +0800
@@ -11,6 +11,6 @@
 #define m_free(X) do {m_free_direct(X); (X) = NULL;} while (0)
 
 void m_malloc_set_epoch(unsigned int epoch);
-void m_malloc_free_epoch(unsigned int epoch);
+void m_malloc_free_epoch(unsigned int epoch, int dofree);
 
 #endif /* DBMALLOC_H_ */
--- a/fuzzer-preauth.c	Thu May 25 22:21:49 2017 +0800
+++ b/fuzzer-preauth.c	Fri May 26 00:19:39 2017 +0800
@@ -42,8 +42,9 @@
 	m_malloc_set_epoch(1);
 	if (setjmp(fuzz.jmp) == 0) {
 		svr_session(fakesock, fakesock);
+        m_malloc_free_epoch(1, 0);
 	} else {
-		m_malloc_free_epoch(1);
+		m_malloc_free_epoch(1, 1);
 		TRACE(("dropbear_exit longjmped"))
 		// dropbear_exit jumped here
 	}
--- a/fuzzer-pubkey.c	Thu May 25 22:21:49 2017 +0800
+++ b/fuzzer-pubkey.c	Fri May 26 00:19:39 2017 +0800
@@ -33,8 +33,9 @@
 		fuzz_checkpubkey_line(fuzz.input, 5, "/home/me/authorized_keys", 
 			algoname, strlen(algoname),
 			keyblob, strlen(keyblob));
+			m_malloc_free_epoch(1, 0);
 	} else {
-		m_malloc_free_epoch(1);
+		m_malloc_free_epoch(1, 1);
 		TRACE(("dropbear_exit longjmped"))
 		// dropbear_exit jumped here
 	}