tdx-util malloc sanity

[Jeffrey M. Vinocur]

We had a power failure.  With the usual results.  However, some sort of 
overview corruption was enough to cause tdx-util to try to allocate 
perhaps slightly more memory than it needed...

# bin/tdx-util -A
tdx-util: tradindexed: entry 2737 is deleted but not in the free list
tdx-util: tradindexed: index inode mismatch for control: 1064 != 911069
tdx-util: tradindexed: malformed overview data for control.cancel:2759455
tdx-util: tradindexed: malformed overview data for control.cancel:2759456
tdx-util: tradindexed: malformed overview data for control.cancel:2759457
tdx-util: tradindexed: malformed overview data for control.cancel:2759458
tdx-util: tradindexed: malformed overview data for control.cancel:2759459
tdx-util: tradindexed: malformed overview data for control.cancel:2759460
tdx-util: tradindexed: malformed overview data for control.cancel:2759461
tdx-util: tradindexed: malformed overview data for control.cancel:2759462
tdx-util: tradindexed: malformed overview data for control.cancel:2759463
tdx-util: tradindexed: malformed overview data for control.cancel:2759464
tdx-util: tradindexed: malformed overview data for control.cancel:2759465
tdx-util: tradindexed: malformed overview data for control.cancel:2759466
tdx-util: tradindexed: malformed overview data for control.cancel:2759467
tdx-util: tradindexed: malformed overview data for control.cancel:2759468
tdx-util: failed to strndup 1629516661 bytes at overdata.c line 241: Cannot allocate memory

Ho hum.  Russ, I think there must be an overflow or signedness problem
with the check on line 873.  Here's some backtrace that should help:




[...]
tdx-util: tradindexed: malformed overview data for control.cancel:2759468

Breakpoint 1, overview_check (
    data=0xa382d620 <Address 0xa382d620 out of bounds>, 
    length=1629516660,
    article=2759469) at overdata.c:241

241         copy = xstrndup(data, length);

(gdb) frame 1
#1  0x0804bc8e in entry_audit (
        data=0x807d5e0, 
        entry=0x4021500c,
        group=0x8088d68 "control.cancel",
        article=2759469,
        fix=false)
    at tdx-data.c:880

880         if (!overview_check(data->data + entry->offset, entry->length, article)) {

(gdb) print *entry
$1 = {offset = 1667327520, 
      length = 1629516660, 
      arrived = 1953853282,
      expires = 1970239776, 
      token = {type = 9 '\t', class = 109 'm', token = "arci <marcicruz@"}}

(gdb) print *data
$2 = {path = 0x807d618 "/var/spool/news/overview/c/c/control.cancel",
      writable = true, 
      high = 0, 
      base = 0, 
      indexfd = 7, 
      datafd = 8,
      index = 0x4019a000,
      data = 0x40217000 "2745602\tcmsg cancel <5782d371d6e67589c3b4455172f646be at 104.105.247.72> no reply ignore\tThe Spam Reaper <spambot at stopspam.org>\t27 Oct 2002 08:27:15 GMT\t<cancel.aa06.5782d371d6e67589c3b4455172f646be at 104."...,
      indexlen = 509364, 
      datalen = 4203484, 
      indexinode = 35794, 
      refcount = 0}

-- 
Jeffrey M. Vinocur
jeff at litech.org