io_write() crashes when freeing memory..


I got this code from the internet with some minor modification from my side. Not exactly sure why the code is crashing when I try to free the memory. Would appreciate if anybody has any clue on this.

Thanks for your time


int io_write (resmgr_context_t *ctp, io_write_t *msg, RESMGR_OCB_T *ocb)
int status;
unsigned int addr = 0, para2 = 0;
char *inputBufPtr = NULL;
ReturnStatus_E status_e = Success;
char outputBuffer[100] = {0};
SplitStringArray paramArray;
int bufLen = 0;

if ((status = iofunc_write_verify(ctp, msg, ocb, NULL)) != EOK)
    return (status);

if ((msg->i.xtype & _IO_XTYPE_MASK) != _IO_XTYPE_NONE)

_IO_SET_WRITE_NBYTES (ctp, msg->i.nbytes);

//bufLen = sizeof(msg->i.nbytes) + 1;

inputBufPtr = (char *)malloc(msg->i.nbytes + 1);
if (inputBufPtr == NULL)

/* Here we print the data. This is a good example for the case
 * where you actually would like to do something with the data.
/* First check if our message buffer was large enough
 * to receive the whole write at once. If yes, print data.*/

[b][i]if( (msg->i.nbytes <= ctp->info.msglen - ctp->offset - sizeof(msg->i)) &&
        (ctp->info.msglen < ctp->msg_max_size))  { // space for NUL byte

    inputBufPtr = (char *)(msg+1);

    printf("\r\nReceived %d bytes = '%s'\n", msg -> i.nbytes, inputBufPtr);                         // If I take out this section of code (if statement) … then the program doesn’t crash..Not sure why ???

} [/i][/b]else {

    /* If we did not receive the whole message because the
     * client wanted to send more than we could receive, we
     * allocate memory for all the data and use resmgr_msgread()
     * to read all the data at once. Although we did not receive
     * the data completely first, because our buffer was not big
     * enough, the data is still fully available on the client
     * side, because its write() call blocks until we return
     * from this callback! */

    resmgr_msgread( ctp, inputBufPtr, msg->i.nbytes, sizeof(msg->i));

inputBufPtr[msg->i.nbytes] = '\0';

printf("\r\nReceived %d bytes = '%s'\n", msg -> i.nbytes, inputBufPtr);

// Split parameters into separate strings
splitString(inputBufPtr, paramArray);
convertHexStringToInteger(&addr, paramArray[1]);
convertHexStringToInteger(&para2, paramArray[2]);

volatile U32* basePtr = FpgaResManager_CL::getInstance().getFpgaBasePtr();

if((basePtr) == NULL) {
    dwi_logp(LogFpgaRM, Err, "Null base pointer got in FPGA resource manager");
    return Failed;

 if (msg->i.nbytes > 0)
    ocb->attr->flags |= IOFUNC_ATTR_MTIME | IOFUNC_ATTR_CTIME;

free(inputBufPtr); //crashes the program… ?

return (_RESMGR_NPARTS (0));


If you see the printf “Received %d bytes…”

then the variable inputBufPtr is changed from the malloc’s memory to point at msg[1].

msg is a pointer passed from the the resource manager which should not be free()'d.

Thanks Maschoen.

But I am still confused. Because there are 2 printf() statements in my function. If I comment out my highlighted red section, everything is fine. I can still free the memory without problem.
My question is , I am still left with one more similar printf() statement after that if else condition…
Why is it not causing problem when I free the pointer at the end of the function ?


I can’t teach you to program. My answer is no different from the first time. Read your code carefully. Read my first reply carefully. The answer is there. The problem has nothing to do with printf’s.

Of course all is fine when you comment out the highlighted section. Because in there, you do:

inputBufPtr = (char *)(msg+1);

You change the inputBufPtr to point into the message buffer that belongs to the resource manager framework in the OS library. Thus you are not freeing the memory you previously allocated with malloc, but some other memory that does not belong to you. That’s why it crashes, and that’s what maschoen told you. I told you the same, just using different words, in the hope this time you understand. ;-)


  • ThunderBlade