C

Faults in Linux: Using incorrect sizeof expressions

As part of my project, while reading the reports, I came to know about bugs where incorrect sizeof expressions are used, typically leading to allocation of data of the wrong size.  There were many in the versions 2.4.x and 2.6.x. I was also required to list FPs (false positives) by Coccinelle. This post will be about, what I found for the mentioned case.

You can view the complete report as a PDF here and as a HTML file here.

 

What is a sizeof expression?

sizeof is a unary operator which is used to calculate the size of any datatype, in number of bytes. Sizeof are used alot while allocating memory.

 

Why incorrect usage of sizeof expression can cause a bug?

Incorrect usage of sizeof expression can lead to allocation of data of wrong size and hence a serious bug.

 

Types I studied?

I studied two types:

  • Results for sizeof expressions that involve the wrong type
  • Results for sizeof expressions lacking a dereference

 

What did I found?

Bugs were of different types. Some allocated a bigger size then what was required and some didn’t require a dereference of structure type at all.

In the FPs by Coccinelle, most were in the cases where it thought that the size allocated is large but it was not.

 

Example Bug?

You can find bugs of each type above in the report linked. Have a look at this, here is the structure definition. It’s too big!

 

Example FP?

Look at this. here the size of structure is not large at all, it very small, so no issues with this.

 

 

More are coming!.

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s