libpcap: segfault on free after calloc

[Pieter Claassen]

I am baffled. I get the following error when I try to free some memory
obtained with calloc.

Error:

LEN is 36
STR SIZE BEFORE 0
STR SIZE AFTER 36
1234567890abcdefghijklmnopqrstuvwxyzJUST BEFORE FREE
Segmentation fault


......code start........

void handle_data(u_int32_t total_hdr_len, const struct pcap_pkthdr* pkthdr, const u_char* packet){
char *str;
u_int32_t len;
int n;

len = packet_length - total_hdr_len;
printf("LEN is %d\n",len);
str = (char*)calloc(len + 1,1);
printf("STR SIZE BEFORE %d\n", strlen(str));
if (str == NULL){
printf("Failed to calloc memory\n");
exit(1);
}
str=(char*)(packet + total_hdr_len);
printf("STR SIZE AFTER %d\n", strlen(str));

# ifdef DEBUG
fprintf(stderr,"DATA:\n");
for (n=0;n<len; n++){
printf("%c",str[n]);
}
dump("DATA",(void*)str,len);
# endif
printf("JUST BEFORE FREE\n");
free(str);
printf("JUST AFTER FREE\n");

}

......code end.......

Where am I cocking up? I have tried it with malloc as well with similar
results.

Pieter

 

[Richard Tobin]

I am baffled. I get the following error when I try to free some memory
obtained with calloc.

No, you're freeing some completely other memory:

str = (char*)calloc(len + 1,1); ....
str=(char*)(packet + total_hdr_len); ....
free(str);

-- Richard

 

[Eric Sosman]

I am baffled. I get the following error when I try to free some memory
obtained with calloc.

This sounds like Question 7.19 in the comp.lang.c
Frequently Asked Questions (FAQ) list

http://www.eskimo.com/~scs/C-faq/top.html

.... but the difficulty in this case isn't what the FAQ
calls the "most common," but the next-to-last of the
causes it lists. Specifically,

str = (char*)calloc(len + 1,1);

`str' now points to dynamically-allocated memory
(assuming calloc() succeeds) ...

str=(char*)(packet + total_hdr_len);

`str' now points somewhere else entirely, not to
the memory obtained from calloc() ...

free(str);

Ka-BOOM!

 

[Jens.Toerring]

I am baffled. I get the following error when I try to free some memory
obtained with calloc.

LEN is 36
STR SIZE BEFORE 0
STR SIZE AFTER 36
1234567890abcdefghijklmnopqrstuvwxyzJUST BEFORE FREE
Segmentation fault

.....code start........

void handle_data(u_int32_t total_hdr_len, const struct pcap_pkthdr* pkthdr, const u_char* packet){
char *str;
u_int32_t len;
int n;

len = packet_length - total_hdr_len;
printf("LEN is %d\n",len);
str = (char*)calloc(len + 1,1);

printf("STR SIZE BEFORE %d\n", strlen(str));

You should do that only _after_ checking that str isn't NULL. And it
doesn't make much sense anyway since strlen(str) should be always 0,
why else would you use calloc()?

if (str == NULL){
printf("Failed to calloc memory\n");
exit(1);
}
str=(char*)(packet + total_hdr_len);

And here things go badly wrong. Before that line str was pointing to
newly allocated memory. After that line it points somewhere else and
you have lost all information about the memory you have allocated,
so you just created a memory leak because you're not able anymore to
free() it.

Are you sure you don't want to use a memcpy() or strcpy()? Strings
(or char arrays) aren't copied by assigning pointers!

Another thing since you are using string functions like strlen():
is what packet points to a '\0'-terminated string? If not you can
not use strlen(), if yes be careful to obtain enough memory for
the terminating '\0' character...

printf("STR SIZE AFTER %d\n", strlen(str));

# ifdef DEBUG
fprintf(stderr,"DATA:\n");
for (n=0;n<len; n++){
printf("%c",str[n]);
}
dump("DATA",(void*)str,len);
# endif
printf("JUST BEFORE FREE\n");
free(str);

And here you try to free() a pointer that you probably haven't gotten
from a call of malloc(), calloc() or realloc(). No big surprise that
you then get a segmentation fault - free() really hates it when it gets
a wrong pointer
Regards, Jens