diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 09:44:07 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 09:44:07 +0000 |
commit | 39ce00b8d520cbecbd6af87257e8fb11df0ec273 (patch) | |
tree | 4c21a2674c19e5c44be3b3550b476b9e63d8ae3d /src/store.c | |
parent | Initial commit. (diff) | |
download | exim4-39ce00b8d520cbecbd6af87257e8fb11df0ec273.tar.xz exim4-39ce00b8d520cbecbd6af87257e8fb11df0ec273.zip |
Adding upstream version 4.94.2.upstream/4.94.2upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/store.c')
-rw-r--r-- | src/store.c | 887 |
1 files changed, 887 insertions, 0 deletions
diff --git a/src/store.c b/src/store.c new file mode 100644 index 0000000..123df70 --- /dev/null +++ b/src/store.c @@ -0,0 +1,887 @@ +/************************************************* +* Exim - an Internet mail transport agent * +*************************************************/ + +/* Copyright (c) University of Cambridge 1995 - 2018 */ +/* Copyright (c) The Exim maintainers 2019 - 2020 */ +/* See the file NOTICE for conditions of use and distribution. */ + +/* Exim gets and frees all its store through these functions. In the original +implementation there was a lot of mallocing and freeing of small bits of store. +The philosophy has now changed to a scheme which includes the concept of +"stacking pools" of store. For the short-lived processes, there isn't any real +need to do any garbage collection, but the stack concept allows quick resetting +in places where this seems sensible. + +Obviously the long-running processes (the daemon, the queue runner, and eximon) +must take care not to eat store. + +The following different types of store are recognized: + +. Long-lived, large blocks: This is implemented by retaining the original + malloc/free functions, and it used for permanent working buffers and for + getting blocks to cut up for the other types. + +. Long-lived, small blocks: This is used for blocks that have to survive until + the process exits. It is implemented as a stacking pool (POOL_PERM). This is + functionally the same as store_malloc(), except that the store can't be + freed, but I expect it to be more efficient for handling small blocks. + +. Short-lived, short blocks: Most of the dynamic store falls into this + category. It is implemented as a stacking pool (POOL_MAIN) which is reset + after accepting a message when multiple messages are received by a single + process. Resetting happens at some other times as well, usually fairly + locally after some specific processing that needs working store. + +. There is a separate pool (POOL_SEARCH) that is used only for lookup storage. + This means it can be freed when search_tidyup() is called to close down all + the lookup caching. + +. Orthogonal to the three pool types, there are two classes of memory: untainted + and tainted. The latter is used for values derived from untrusted input, and + the string-expansion mechanism refuses to operate on such values (obviously, + it can expand an untainted value to return a tainted result). The classes + are implemented by duplicating the three pool types. Pool resets are requested + against the nontainted sibling and apply to both siblings. + + Only memory blocks requested for tainted use are regarded as tainted; anything + else (including stack auto variables) is untainted. Care is needed when coding + to not copy untrusted data into untainted memory, as downstream taint-checks + would be avoided. + + Intermediate layers (eg. the string functions) can test for taint, and use this + for ensurinng that results have proper state. For example the + string_vformat_trc() routing supporting the string_sprintf() interface will + recopy a string being built into a tainted allocation if it meets a %s for a + tainted argument. Any intermediate-layer function that (can) return a new + allocation should behave this way; returning a tainted result if any tainted + content is used. Intermediate-layer functions (eg. Ustrncpy) that modify + existing allocations fail if tainted data is written into an untainted area. + Users of functions that modify existing allocations should check if a tainted + source and an untainted destination is used, and fail instead (sprintf() being + the classic case). +*/ + + +#include "exim.h" +/* keep config.h before memcheck.h, for NVALGRIND */ +#include "config.h" + +#include <sys/mman.h> +#include "memcheck.h" + + +/* We need to know how to align blocks of data for general use. I'm not sure +how to get an alignment factor in general. In the current world, a value of 8 +is probably right, and this is sizeof(double) on some systems and sizeof(void +*) on others, so take the larger of those. Since everything in this expression +is a constant, the compiler should optimize it to a simple constant wherever it +appears (I checked that gcc does do this). */ + +#define alignment \ + (sizeof(void *) > sizeof(double) ? sizeof(void *) : sizeof(double)) + +/* store_reset() will not free the following block if the last used block has +less than this much left in it. */ + +#define STOREPOOL_MIN_SIZE 256 + +/* Structure describing the beginning of each big block. */ + +typedef struct storeblock { + struct storeblock *next; + size_t length; +} storeblock; + +/* Just in case we find ourselves on a system where the structure above has a +length that is not a multiple of the alignment, set up a macro for the padded +length. */ + +#define ALIGNED_SIZEOF_STOREBLOCK \ + (((sizeof(storeblock) + alignment - 1) / alignment) * alignment) + +/* Size of block to get from malloc to carve up into smaller ones. This +must be a multiple of the alignment. We assume that 8192 is going to be +suitably aligned. */ + +#define STORE_BLOCK_SIZE (8192 - ALIGNED_SIZEOF_STOREBLOCK) + +/* Variables holding data for the local pools of store. The current pool number +is held in store_pool, which is global so that it can be changed from outside. +Setting the initial length values to -1 forces a malloc for the first call, +even if the length is zero (which is used for getting a point to reset to). */ + +int store_pool = POOL_MAIN; + +#define NPOOLS 6 +static storeblock *chainbase[NPOOLS]; +static storeblock *current_block[NPOOLS]; +static void *next_yield[NPOOLS]; +static int yield_length[NPOOLS] = { -1, -1, -1, -1, -1, -1 }; + +/* pool_malloc holds the amount of memory used by the store pools; this goes up +and down as store is reset or released. nonpool_malloc is the total got by +malloc from other calls; this doesn't go down because it is just freed by +pointer. */ + +static int pool_malloc; +static int nonpool_malloc; + +/* This variable is set by store_get() to its yield, and by store_reset() to +NULL. This enables string_cat() to optimize its store handling for very long +strings. That's why the variable is global. */ + +void *store_last_get[NPOOLS]; + +/* These are purely for stats-gathering */ + +static int nbytes[NPOOLS]; /* current bytes allocated */ +static int maxbytes[NPOOLS]; /* max number reached */ +static int nblocks[NPOOLS]; /* current number of blocks allocated */ +static int maxblocks[NPOOLS]; +static int n_nonpool_blocks; /* current number of direct store_malloc() blocks */ +static int max_nonpool_blocks; +static int max_pool_malloc; /* max value for pool_malloc */ +static int max_nonpool_malloc; /* max value for nonpool_malloc */ + + +#ifndef COMPILE_UTILITY +static const uschar * pooluse[NPOOLS] = { +[POOL_MAIN] = US"main", +[POOL_PERM] = US"perm", +[POOL_SEARCH] = US"search", +[POOL_TAINT_MAIN] = US"main", +[POOL_TAINT_PERM] = US"perm", +[POOL_TAINT_SEARCH] = US"search", +}; +static const uschar * poolclass[NPOOLS] = { +[POOL_MAIN] = US"untainted", +[POOL_PERM] = US"untainted", +[POOL_SEARCH] = US"untainted", +[POOL_TAINT_MAIN] = US"tainted", +[POOL_TAINT_PERM] = US"tainted", +[POOL_TAINT_SEARCH] = US"tainted", +}; +#endif + + +static void * internal_store_malloc(int, const char *, int); +static void internal_store_free(void *, const char *, int linenumber); + +/******************************************************************************/ + +/* Test if a pointer refers to tainted memory. + +Slower version check, for use when platform intermixes malloc and mmap area +addresses. Test against the current-block of all tainted pools first, then all +blocks of all tainted pools. + +Return: TRUE iff tainted +*/ + +BOOL +is_tainted_fn(const void * p) +{ +storeblock * b; + +for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++) + if ((b = current_block[pool])) + { + uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK; + if (US p >= bc && US p < bc + b->length) return TRUE; + } + +for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++) + for (b = chainbase[pool]; b; b = b->next) + { + uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK; + if (US p >= bc && US p < bc + b->length) return TRUE; + } +return FALSE; +} + + +void +die_tainted(const uschar * msg, const uschar * func, int line) +{ +log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Taint mismatch, %s: %s %d\n", + msg, func, line); +} + + + +/************************************************* +* Get a block from the current pool * +*************************************************/ + +/* Running out of store is a total disaster. This function is called via the +macro store_get(). It passes back a block of store within the current big +block, getting a new one if necessary. The address is saved in +store_last_was_get. + +Arguments: + size amount wanted, bytes + tainted class: set to true for untrusted data (eg. from smtp input) + func function from which called + linenumber line number in source file + +Returns: pointer to store (panic on malloc failure) +*/ + +void * +store_get_3(int size, BOOL tainted, const char *func, int linenumber) +{ +int pool = tainted ? store_pool + POOL_TAINT_BASE : store_pool; + +/* Ensure we've been asked to allocate memory. +A negative size is a sign of a security problem. +A zero size might be also suspect, but our internal usage deliberately +does this to return a current watermark value for a later release of +allocated store. */ + +if (size < 0 || size >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory allocation requested (%d bytes) at %s %d", + size, func, linenumber); + +/* Round up the size to a multiple of the alignment. Although this looks a +messy statement, because "alignment" is a constant expression, the compiler can +do a reasonable job of optimizing, especially if the value of "alignment" is a +power of two. I checked this with -O2, and gcc did very well, compiling it to 4 +instructions on a Sparc (alignment = 8). */ + +if (size % alignment != 0) size += alignment - (size % alignment); + +/* If there isn't room in the current block, get a new one. The minimum +size is STORE_BLOCK_SIZE, and we would expect this to be the norm, since +these functions are mostly called for small amounts of store. */ + +if (size > yield_length[pool]) + { + int length = size <= STORE_BLOCK_SIZE ? STORE_BLOCK_SIZE : size; + int mlength = length + ALIGNED_SIZEOF_STOREBLOCK; + storeblock * newblock; + + /* Sometimes store_reset() may leave a block for us; check if we can use it */ + + if ( (newblock = current_block[pool]) + && (newblock = newblock->next) + && newblock->length < length + ) + { + /* Give up on this block, because it's too small */ + nblocks[pool]--; + internal_store_free(newblock, func, linenumber); + newblock = NULL; + } + + /* If there was no free block, get a new one */ + + if (!newblock) + { + if ((nbytes[pool] += mlength) > maxbytes[pool]) + maxbytes[pool] = nbytes[pool]; + if ((pool_malloc += mlength) > max_pool_malloc) /* Used in pools */ + max_pool_malloc = pool_malloc; + nonpool_malloc -= mlength; /* Exclude from overall total */ + if (++nblocks[pool] > maxblocks[pool]) + maxblocks[pool] = nblocks[pool]; + + newblock = internal_store_malloc(mlength, func, linenumber); + newblock->next = NULL; + newblock->length = length; + + if (!chainbase[pool]) + chainbase[pool] = newblock; + else + current_block[pool]->next = newblock; + } + + current_block[pool] = newblock; + yield_length[pool] = newblock->length; + next_yield[pool] = + (void *)(CS current_block[pool] + ALIGNED_SIZEOF_STOREBLOCK); + (void) VALGRIND_MAKE_MEM_NOACCESS(next_yield[pool], yield_length[pool]); + } + +/* There's (now) enough room in the current block; the yield is the next +pointer. */ + +store_last_get[pool] = next_yield[pool]; + +/* Cut out the debugging stuff for utilities, but stop picky compilers from +giving warnings. */ + +#ifdef COMPILE_UTILITY +func = func; +linenumber = linenumber; +#else +DEBUG(D_memory) + debug_printf("---%d Get %6p %5d %-14s %4d\n", pool, + store_last_get[pool], size, func, linenumber); +#endif /* COMPILE_UTILITY */ + +(void) VALGRIND_MAKE_MEM_UNDEFINED(store_last_get[pool], size); +/* Update next pointer and number of bytes left in the current block. */ + +next_yield[pool] = (void *)(CS next_yield[pool] + size); +yield_length[pool] -= size; +return store_last_get[pool]; +} + + + +/************************************************* +* Get a block from the PERM pool * +*************************************************/ + +/* This is just a convenience function, useful when just a single block is to +be obtained. + +Arguments: + size amount wanted + func function from which called + linenumber line number in source file + +Returns: pointer to store (panic on malloc failure) +*/ + +void * +store_get_perm_3(int size, BOOL tainted, const char *func, int linenumber) +{ +void *yield; +int old_pool = store_pool; +store_pool = POOL_PERM; +yield = store_get_3(size, tainted, func, linenumber); +store_pool = old_pool; +return yield; +} + + + +/************************************************* +* Extend a block if it is at the top * +*************************************************/ + +/* While reading strings of unknown length, it is often the case that the +string is being read into the block at the top of the stack. If it needs to be +extended, it is more efficient just to extend within the top block rather than +allocate a new block and then have to copy the data. This function is provided +for the use of string_cat(), but of course can be used elsewhere too. +The block itself is not expanded; only the top allocation from it. + +Arguments: + ptr pointer to store block + oldsize current size of the block, as requested by user + newsize new size required + func function from which called + linenumber line number in source file + +Returns: TRUE if the block is at the top of the stack and has been + extended; FALSE if it isn't at the top of the stack, or cannot + be extended +*/ + +BOOL +store_extend_3(void *ptr, BOOL tainted, int oldsize, int newsize, + const char *func, int linenumber) +{ +int pool = tainted ? store_pool + POOL_TAINT_BASE : store_pool; +int inc = newsize - oldsize; +int rounded_oldsize = oldsize; + +if (oldsize < 0 || newsize < oldsize || newsize >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory extension requested (%d -> %d bytes) at %s %d", + oldsize, newsize, func, linenumber); + +/* Check that the block being extended was already of the required taint status; +refuse to extend if not. */ + +if (is_tainted(ptr) != tainted) + return FALSE; + +if (rounded_oldsize % alignment != 0) + rounded_oldsize += alignment - (rounded_oldsize % alignment); + +if (CS ptr + rounded_oldsize != CS (next_yield[pool]) || + inc > yield_length[pool] + rounded_oldsize - oldsize) + return FALSE; + +/* Cut out the debugging stuff for utilities, but stop picky compilers from +giving warnings. */ + +#ifdef COMPILE_UTILITY +func = func; +linenumber = linenumber; +#else +DEBUG(D_memory) + debug_printf("---%d Ext %6p %5d %-14s %4d\n", pool, ptr, newsize, + func, linenumber); +#endif /* COMPILE_UTILITY */ + +if (newsize % alignment != 0) newsize += alignment - (newsize % alignment); +next_yield[pool] = CS ptr + newsize; +yield_length[pool] -= newsize - rounded_oldsize; +(void) VALGRIND_MAKE_MEM_UNDEFINED(ptr + oldsize, inc); +return TRUE; +} + + + + +/************************************************* +* Back up to a previous point on the stack * +*************************************************/ + +/* This function resets the next pointer, freeing any subsequent whole blocks +that are now unused. Call with a cookie obtained from store_mark() only; do +not call with a pointer returned by store_get(). Both the untainted and tainted +pools corresposding to store_pool are reset. + +Arguments: + r place to back up to + func function from which called + linenumber line number in source file + +Returns: nothing +*/ + +static void +internal_store_reset(void * ptr, int pool, const char *func, int linenumber) +{ +storeblock * bb; +storeblock * b = current_block[pool]; +char * bc = CS b + ALIGNED_SIZEOF_STOREBLOCK; +int newlength, count; +#ifndef COMPILE_UTILITY +int oldmalloc = pool_malloc; +#endif + +/* Last store operation was not a get */ + +store_last_get[pool] = NULL; + +/* See if the place is in the current block - as it often will be. Otherwise, +search for the block in which it lies. */ + +if (CS ptr < bc || CS ptr > bc + b->length) + { + for (b = chainbase[pool]; b; b = b->next) + { + bc = CS b + ALIGNED_SIZEOF_STOREBLOCK; + if (CS ptr >= bc && CS ptr <= bc + b->length) break; + } + if (!b) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal error: store_reset(%p) " + "failed: pool=%d %-14s %4d", ptr, pool, func, linenumber); + } + +/* Back up, rounding to the alignment if necessary. When testing, flatten +the released memory. */ + +newlength = bc + b->length - CS ptr; +#ifndef COMPILE_UTILITY +if (debug_store) + { + assert_no_variables(ptr, newlength, func, linenumber); + if (f.running_in_test_harness) + { + (void) VALGRIND_MAKE_MEM_DEFINED(ptr, newlength); + memset(ptr, 0xF0, newlength); + } + } +#endif +(void) VALGRIND_MAKE_MEM_NOACCESS(ptr, newlength); +next_yield[pool] = CS ptr + (newlength % alignment); +count = yield_length[pool]; +count = (yield_length[pool] = newlength - (newlength % alignment)) - count; +current_block[pool] = b; + +/* Free any subsequent block. Do NOT free the first +successor, if our current block has less than 256 bytes left. This should +prevent us from flapping memory. However, keep this block only when it has +the default size. */ + +if ( yield_length[pool] < STOREPOOL_MIN_SIZE + && b->next + && b->next->length == STORE_BLOCK_SIZE) + { + b = b->next; +#ifndef COMPILE_UTILITY + if (debug_store) + assert_no_variables(b, b->length + ALIGNED_SIZEOF_STOREBLOCK, + func, linenumber); +#endif + (void) VALGRIND_MAKE_MEM_NOACCESS(CS b + ALIGNED_SIZEOF_STOREBLOCK, + b->length - ALIGNED_SIZEOF_STOREBLOCK); + } + +bb = b->next; +b->next = NULL; + +while ((b = bb)) + { + int siz = b->length + ALIGNED_SIZEOF_STOREBLOCK; +#ifndef COMPILE_UTILITY + if (debug_store) + assert_no_variables(b, b->length + ALIGNED_SIZEOF_STOREBLOCK, + func, linenumber); +#endif + bb = bb->next; + nbytes[pool] -= siz; + pool_malloc -= siz; + nblocks[pool]--; + internal_store_free(b, func, linenumber); + } + +/* Cut out the debugging stuff for utilities, but stop picky compilers from +giving warnings. */ + +#ifdef COMPILE_UTILITY +func = func; +linenumber = linenumber; +#else +DEBUG(D_memory) + debug_printf("---%d Rst %6p %5d %-14s %4d %d\n", pool, ptr, + count + oldmalloc - pool_malloc, + func, linenumber, pool_malloc); +#endif /* COMPILE_UTILITY */ +} + + +rmark +store_reset_3(rmark r, int pool, const char *func, int linenumber) +{ +void ** ptr = r; + +if (pool >= POOL_TAINT_BASE) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "store_reset called for pool %d: %s %d\n", pool, func, linenumber); +if (!r) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "store_reset called with bad mark: %s %d\n", func, linenumber); + +internal_store_reset(*ptr, pool + POOL_TAINT_BASE, func, linenumber); +internal_store_reset(ptr, pool, func, linenumber); +return NULL; +} + + + +/* Free tail-end unused allocation. This lets us allocate a big chunk +early, for cases when we only discover later how much was really needed. + +Can be called with a value from store_get(), or an offset after such. Only +the tainted or untainted pool that serviced the store_get() will be affected. + +This is mostly a cut-down version of internal_store_reset(). +XXX needs rationalising +*/ + +void +store_release_above_3(void *ptr, const char *func, int linenumber) +{ +/* Search all pools' "current" blocks. If it isn't one of those, +ignore it (it usually will be). */ + +for (int pool = 0; pool < nelem(current_block); pool++) + { + storeblock * b = current_block[pool]; + char * bc; + int count, newlength; + + if (!b) + continue; + + bc = CS b + ALIGNED_SIZEOF_STOREBLOCK; + if (CS ptr < bc || CS ptr > bc + b->length) + continue; + + /* Last store operation was not a get */ + + store_last_get[pool] = NULL; + + /* Back up, rounding to the alignment if necessary. When testing, flatten + the released memory. */ + + newlength = bc + b->length - CS ptr; +#ifndef COMPILE_UTILITY + if (debug_store) + { + assert_no_variables(ptr, newlength, func, linenumber); + if (f.running_in_test_harness) + { + (void) VALGRIND_MAKE_MEM_DEFINED(ptr, newlength); + memset(ptr, 0xF0, newlength); + } + } +#endif + (void) VALGRIND_MAKE_MEM_NOACCESS(ptr, newlength); + next_yield[pool] = CS ptr + (newlength % alignment); + count = yield_length[pool]; + count = (yield_length[pool] = newlength - (newlength % alignment)) - count; + + /* Cut out the debugging stuff for utilities, but stop picky compilers from + giving warnings. */ + +#ifdef COMPILE_UTILITY + func = func; + linenumber = linenumber; +#else + DEBUG(D_memory) + debug_printf("---%d Rel %6p %5d %-14s %4d %d\n", pool, ptr, count, + func, linenumber, pool_malloc); +#endif + return; + } +#ifndef COMPILE_UTILITY +DEBUG(D_memory) + debug_printf("non-last memory release try: %s %d\n", func, linenumber); +#endif +} + + + +rmark +store_mark_3(const char *func, int linenumber) +{ +void ** p; + +if (store_pool >= POOL_TAINT_BASE) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "store_mark called for pool %d: %s %d\n", store_pool, func, linenumber); + +/* Stash a mark for the tainted-twin release, in the untainted twin. Return +a cookie (actually the address in the untainted pool) to the caller. +Reset uses the cookie to recover the t-mark, winds back the tainted pool with it +and winds back the untainted pool with the cookie. */ + +p = store_get_3(sizeof(void *), FALSE, func, linenumber); +*p = store_get_3(0, TRUE, func, linenumber); +return p; +} + + + + +/************************************************ +* Release store * +************************************************/ + +/* This function checks that the pointer it is given is the first thing in a +block, and if so, releases that block. + +Arguments: + block block of store to consider + func function from which called + linenumber line number in source file + +Returns: nothing +*/ + +static void +store_release_3(void * block, int pool, const char * func, int linenumber) +{ +/* It will never be the first block, so no need to check that. */ + +for (storeblock * b = chainbase[pool]; b; b = b->next) + { + storeblock * bb = b->next; + if (bb && CS block == CS bb + ALIGNED_SIZEOF_STOREBLOCK) + { + int siz = bb->length + ALIGNED_SIZEOF_STOREBLOCK; + b->next = bb->next; + nbytes[pool] -= siz; + pool_malloc -= siz; + nblocks[pool]--; + + /* Cut out the debugging stuff for utilities, but stop picky compilers + from giving warnings. */ + +#ifdef COMPILE_UTILITY + func = func; + linenumber = linenumber; +#else + DEBUG(D_memory) + debug_printf("-Release %6p %-20s %4d %d\n", (void *)bb, func, + linenumber, pool_malloc); + + if (f.running_in_test_harness) + memset(bb, 0xF0, bb->length+ALIGNED_SIZEOF_STOREBLOCK); +#endif /* COMPILE_UTILITY */ + + free(bb); + return; + } + } +} + + +/************************************************ +* Move store * +************************************************/ + +/* Allocate a new block big enough to expend to the given size and +copy the current data into it. Free the old one if possible. + +This function is specifically provided for use when reading very +long strings, e.g. header lines. When the string gets longer than a +complete block, it gets copied to a new block. It is helpful to free +the old block iff the previous copy of the string is at its start, +and therefore the only thing in it. Otherwise, for very long strings, +dead store can pile up somewhat disastrously. This function checks that +the pointer it is given is the first thing in a block, and that nothing +has been allocated since. If so, releases that block. + +Arguments: + block + newsize + len + +Returns: new location of data +*/ + +void * +store_newblock_3(void * block, BOOL tainted, int newsize, int len, + const char * func, int linenumber) +{ +int pool = tainted ? store_pool + POOL_TAINT_BASE : store_pool; +BOOL release_ok = !tainted && store_last_get[pool] == block; +uschar * newtext; + +#if !defined(MACRO_PREDEF) && !defined(COMPILE_UTILITY) +if (is_tainted(block) != tainted) + die_tainted(US"store_newblock", CUS func, linenumber); +#endif + +if (len < 0 || len > newsize) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory extension requested (%d -> %d bytes) at %s %d", + len, newsize, func, linenumber); + +newtext = store_get(newsize, tainted); +memcpy(newtext, block, len); +if (release_ok) store_release_3(block, pool, func, linenumber); +return (void *)newtext; +} + + + + +/************************************************* +* Malloc store * +*************************************************/ + +/* Running out of store is a total disaster for exim. Some malloc functions +do not run happily on very small sizes, nor do they document this fact. This +function is called via the macro store_malloc(). + +Arguments: + size amount of store wanted + func function from which called + line line number in source file + +Returns: pointer to gotten store (panic on failure) +*/ + +static void * +internal_store_malloc(int size, const char *func, int line) +{ +void * yield; + +if (size < 0 || size >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory allocation requested (%d bytes) at %s %d", + size, func, line); + +if (size < 16) size = 16; + +if (!(yield = malloc((size_t)size))) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to malloc %d bytes of memory: " + "called from line %d in %s", size, line, func); + +if ((nonpool_malloc += size) > max_nonpool_malloc) + max_nonpool_malloc = nonpool_malloc; + +/* Cut out the debugging stuff for utilities, but stop picky compilers from +giving warnings. */ + +#ifdef COMPILE_UTILITY +func = func; line = line; +#else + +/* If running in test harness, spend time making sure all the new store +is not filled with zeros so as to catch problems. */ + +if (f.running_in_test_harness) + memset(yield, 0xF0, (size_t)size); +DEBUG(D_memory) debug_printf("--Malloc %6p %5d bytes\t%-14s %4d\tpool %5d nonpool %5d\n", + yield, size, func, line, pool_malloc, nonpool_malloc); +#endif /* COMPILE_UTILITY */ + +return yield; +} + +void * +store_malloc_3(int size, const char *func, int linenumber) +{ +if (n_nonpool_blocks++ > max_nonpool_blocks) + max_nonpool_blocks = n_nonpool_blocks; +return internal_store_malloc(size, func, linenumber); +} + + +/************************************************ +* Free store * +************************************************/ + +/* This function is called by the macro store_free(). + +Arguments: + block block of store to free + func function from which called + linenumber line number in source file + +Returns: nothing +*/ + +static void +internal_store_free(void * block, const char * func, int linenumber) +{ +#ifdef COMPILE_UTILITY +func = func; +linenumber = linenumber; +#else +DEBUG(D_memory) + debug_printf("----Free %6p %-20s %4d\n", block, func, linenumber); +#endif /* COMPILE_UTILITY */ +free(block); +} + +void +store_free_3(void * block, const char * func, int linenumber) +{ +n_nonpool_blocks--; +internal_store_free(block, func, linenumber); +} + +/******************************************************************************/ +/* Stats output on process exit */ +void +store_exit(void) +{ +#ifndef COMPILE_UTILITY +DEBUG(D_memory) + { + debug_printf("----Exit nonpool max: %3d kB in %d blocks\n", + (max_nonpool_malloc+1023)/1024, max_nonpool_blocks); + debug_printf("----Exit npools max: %3d kB\n", max_pool_malloc/1024); + for (int i = 0; i < NPOOLS; i++) + debug_printf("----Exit pool %d max: %3d kB in %d blocks\t%s %s\n", + i, maxbytes[i]/1024, maxblocks[i], poolclass[i], pooluse[i]); + } +#endif +} + +/* End of store.c */ |