Jeff Morriss wrote:
Bill Meier wrote:
Jeff Morriss wrote:
Bill Meier wrote:
I've found at least one case wherein se_alloc'd memory
is referenced after it's been freed. (I think this case just happens
to work because the memory wasn't yet reassigned).
I was contemplating adding an optional memory-scrubber to ensure that
we're not doing that: just writing 0xdeadbeef to the ep_ and se_ alloc'd
memory when we free it.
I was thinking the same thing ....
I fixed a few cases of this and I'm not getting any more failures with
the sample captures I have. Is the case you found fixed?
Unfortunately I don't quite remember the case I found.
Was it the "dangling pointer to se'alloc'd memory" I mentioned in bug
#4141 ? (If so I originally mis-interpreted the code in that there's no
actual reference to the already freed se_alloc'd buffer).
"Also note that currently for free_all_reassembled_fragments()
that the 'key_arg' points to se_alloc'd memory which has already
been freed."
> If so, should we turn on memory scrubbing while fuzz testing?
Seems like a reasonable idea to me. We'd need to watch to see how much
time is added to the fuzz-testing. Maybe only turn on scrubbing for one
pass ?