I just checked in a change to emem.c that adds canary values after each
memory allocation. It should let us identify overflows of any ep_ and
se_ allocated memory. Hopefully it won't add too much processing
overhead. If this works, the next step is to place mprotect()ed guard
pages before and after each chunk.
The canaries appear to be doing their job. Running tethereal against
the capture menagerie turned up a bug in asn1/x509if/x509if.cnf:
==7113== Invalid write of size 1
==7113== at 0xD7581F: g_strlcat (in /usr/lib/libglib-2.0.so.0.400.8)
==7113== by 0x4817343: dissect_x509if_RelativeDistinguishedName
(x509if.cnf:213)
==7113== by 0x48173ED: dissect_RDNSequence_item (x509if.cnf:257)
==7113== by 0x4366CAE: dissect_ber_sq_of (packet-ber.c:2021)
==7113== by 0x481747C: dissect_x509if_RDNSequence (x509if.cnf:238)
==7113== by 0x481755D: dissect_rdnSequence (x509if.cnf:257)
==7113== by 0x4365A35: dissect_ber_choice (packet-ber.c:1607)
==7113== by 0x48175B8: dissect_x509if_Name (x509if.cnf:273)
==7113== by 0x4812251: dissect_directoryName_impl (packet-x509ce-fn.c:7)
==7113== by 0x4365A35: dissect_ber_choice (packet-ber.c:1607)
==7113== by 0x481299C: dissect_x509ce_GeneralName (x509ce.cnf:168)
==7113== by 0x469B731: dissect_pkix1implicit_GeneralName
(packet-pkix1implicit-template.c:61)
==7113== Address 0x4FDCE58 is 0 bytes after a block of size 64 alloc'd
==7113== at 0x400446D: malloc (vg_replace_malloc.c:149)
==7113== by 0xD65C32: g_malloc (in /usr/lib/libglib-2.0.so.0.400.8)
==7113== by 0x429FD38: ep_alloc (emem.c:216)
==7113== by 0x481742D: dissect_x509if_RDNSequence (x509if.cnf:235)
==7113== by 0x481755D: dissect_rdnSequence (x509if.cnf:257)
==7113== by 0x4365A35: dissect_ber_choice (packet-ber.c:1607)
==7113== by 0x48175B8: dissect_x509if_Name (x509if.cnf:273)
==7113== by 0x4812251: dissect_directoryName_impl (packet-x509ce-fn.c:7)
==7113== by 0x4365A35: dissect_ber_choice (packet-ber.c:1607)
==7113== by 0x481299C: dissect_x509ce_GeneralName (x509ce.cnf:168)
==7113== by 0x469B731: dissect_pkix1implicit_GeneralName
(packet-pkix1implicit-template.c:61)
==7113== by 0x43ACED5: dissect_sender (packet-cmp-fn.c:14)
To generate the valgrind output I had to uncomment EP_DEBUG_FREE and
SE_DEBUG_FREE in epan/emem.c and recompile. The capture file used was
cmp-trace.pcap.gz on the sample captures page. I'll take a look at this
tomorrow, time permitting.