[Spice-devel] [spice-server v2 1/3] reds-stream: Don't use sendmsg with uninitialized memory

Pavel Grunt pgrunt at redhat.com
Fri Mar 17 10:24:52 UTC 2017


Ack,
Pavel

On Thu, 2017-03-16 at 16:10 +0100, Christophe Fergeau wrote:
> On my 64 bit Fedora 25, CMSG_SPACE() adds 4 bytes of padding after
> the
> file descriptor in the control data. This causes warnings when ran
> under
> valgrind as we set msg_controllen to CMSG_SPACE().
> 
> This commit fills the control data to 0 to avoid these warnings.
> 
> ==30301== Syscall param sendmsg(msg.msg_control) points to
> uninitialised byte(s)
> ==30301==    at 0x8127367: sendmsg (sendmsg.c:28)
> ==30301==    by 0x41880B: reds_stream_send_msgfd (reds-stream.c:295)
> ==30301==    by 0x40953F: main (test-stream.c:121)
> ==30301==  Address 0xffefff1b4 is on thread 1's stack
> ==30301==  in frame #1, created by reds_stream_send_msgfd (reds-
> stream.c:263)
> ---
>  server/reds-stream.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/server/reds-stream.c b/server/reds-stream.c
> index a813a8b..8ac296d 100644
> --- a/server/reds-stream.c
> +++ b/server/reds-stream.c
> @@ -283,6 +283,10 @@ int reds_stream_send_msgfd(RedsStream *stream,
> int fd)
>      if (fd != -1) {
>          msgh.msg_control = control.data;
>          msgh.msg_controllen = sizeof(control.data);
> +        /* CMSG_SPACE() might be larger than CMSG_LEN() as it can
> include some
> +         * padding. We set the whole control data to 0 to avoid
> valgrind warnings
> +         */
> +        memset(control.data, 0, sizeof(control.data));
>  
>          cmsg = CMSG_FIRSTHDR(&msgh);
>          cmsg->cmsg_len = CMSG_LEN(fd_size);


More information about the Spice-devel mailing list