From 53efb85a242809ed5ed21e9ab40effa696ecbc6f Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Thu, 20 Feb 2014 10:23:46 -0500
Subject: [PATCH] Fix: miscellaneous memory handling fixes

Issues found with Valgrind:

- Uninitialized memory sent through sendmsg,
- Uninitialized realloc memory,
- Erroneous pointer arithmetic in jul_list_events(),
- Memory leaks in kernel_consumer_add_channel(),
  kernel_consumer_add_metadata(),
- Memory leak (snapshot_destroy missing hash table cleanup),
- Uninitialized poll/epoll memory on realloc.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: David Goulet <dgoulet@efficios.com>
---
 src/bin/lttng-consumerd/health-consumerd.c |  2 +-
 src/bin/lttng-relayd/health-relayd.c       |  2 +-
 src/bin/lttng-relayd/live.c                |  8 ++++
 src/bin/lttng-relayd/main.c                | 11 ++++++
 src/bin/lttng-sessiond/consumer.c          | 12 ++++--
 src/bin/lttng-sessiond/jul.c               | 31 +++++++++------
 src/bin/lttng-sessiond/kernel-consumer.c   |  8 +++-
 src/bin/lttng-sessiond/kernel.c            | 18 +++++----
 src/bin/lttng-sessiond/main.c              |  2 +-
 src/bin/lttng-sessiond/snapshot.c          |  2 +
 src/bin/lttng-sessiond/ust-app.c           | 44 ++++++++++++++--------
 src/bin/lttng-sessiond/ust-consumer.c      |  3 ++
 src/common/compat/compat-epoll.c           | 10 +++++
 src/common/compat/compat-poll.c            |  5 +++
 src/common/consumer-metadata-cache.c       |  9 +++--
 src/common/consumer.c                      |  2 +
 src/common/relayd/relayd.c                 | 10 +++++
 src/common/ust-consumer/ust-consumer.c     |  2 +
 src/lib/lttng-ctl/lttng-ctl-health.c       |  1 +
 src/lib/lttng-ctl/lttng-ctl.c              | 12 ++++++
 20 files changed, 148 insertions(+), 46 deletions(-)

diff --git a/src/bin/lttng-consumerd/health-consumerd.c b/src/bin/lttng-consumerd/health-consumerd.c
index 1b649baa9..d1478e54d 100644
--- a/src/bin/lttng-consumerd/health-consumerd.c
+++ b/src/bin/lttng-consumerd/health-consumerd.c
@@ -303,7 +303,7 @@ restart:
 
 		assert(msg.cmd == HEALTH_CMD_CHECK);
 
-		reply.ret_code = 0;
+		memset(&reply, 0, sizeof(reply));
 		for (i = 0; i < NR_HEALTH_CONSUMERD_TYPES; i++) {
 			/*
 			 * health_check_state return 0 if thread is in
diff --git a/src/bin/lttng-relayd/health-relayd.c b/src/bin/lttng-relayd/health-relayd.c
index 89b6402fa..8a5cbdfcb 100644
--- a/src/bin/lttng-relayd/health-relayd.c
+++ b/src/bin/lttng-relayd/health-relayd.c
@@ -368,7 +368,7 @@ restart:
 
 		assert(msg.cmd == HEALTH_CMD_CHECK);
 
-		reply.ret_code = 0;
+		memset(&reply, 0, sizeof(reply));
 		for (i = 0; i < NR_HEALTH_RELAYD_TYPES; i++) {
 			/*
 			 * health_check_state return 0 if thread is in
diff --git a/src/bin/lttng-relayd/live.c b/src/bin/lttng-relayd/live.c
index a720ed732..c60f7e4c9 100644
--- a/src/bin/lttng-relayd/live.c
+++ b/src/bin/lttng-relayd/live.c
@@ -931,6 +931,8 @@ int viewer_get_new_streams(struct relay_connection *conn)
 
 	health_code_update();
 
+	memset(&response, 0, sizeof(response));
+
 	rcu_read_lock();
 	session = session_find_by_id(conn->sessions_ht, session_id);
 	if (!session) {
@@ -1032,6 +1034,8 @@ int viewer_attach_session(struct relay_connection *conn)
 
 	health_code_update();
 
+	memset(&response, 0, sizeof(response));
+
 	if (!conn->viewer_session) {
 		DBG("Client trying to attach before creating a live viewer session");
 		response.status = htobe32(LTTNG_VIEWER_ATTACH_NO_SESSION);
@@ -1618,6 +1622,8 @@ int viewer_get_metadata(struct relay_connection *conn)
 	}
 	health_code_update();
 
+	memset(&reply, 0, sizeof(reply));
+
 	rcu_read_lock();
 	stream = viewer_stream_find_by_id(be64toh(request.stream_id));
 	if (!stream || !stream->metadata_flag) {
@@ -1718,6 +1724,7 @@ int viewer_create_session(struct relay_connection *conn)
 
 	DBG("Viewer create session received");
 
+	memset(&resp, 0, sizeof(resp));
 	resp.status = htobe32(LTTNG_VIEWER_CREATE_SESSION_OK);
 	conn->viewer_session = zmalloc(sizeof(*conn->viewer_session));
 	if (!conn->viewer_session) {
@@ -1749,6 +1756,7 @@ void live_relay_unknown_command(struct relay_connection *conn)
 {
 	struct lttcomm_relayd_generic_reply reply;
 
+	memset(&reply, 0, sizeof(reply));
 	reply.ret_code = htobe32(LTTNG_ERR_UNK);
 	(void) send_response(conn->sock, &reply, sizeof(reply));
 }
diff --git a/src/bin/lttng-relayd/main.c b/src/bin/lttng-relayd/main.c
index f6b23eb92..60b6bf221 100644
--- a/src/bin/lttng-relayd/main.c
+++ b/src/bin/lttng-relayd/main.c
@@ -1261,6 +1261,7 @@ int relay_add_stream(struct lttcomm_relayd_hdr *recv_hdr,
 			stream->stream_handle);
 
 end:
+	memset(&reply, 0, sizeof(reply));
 	reply.handle = htobe64(stream->stream_handle);
 	/* send the session id to the client or a negative return code on error */
 	if (ret < 0) {
@@ -1342,6 +1343,7 @@ int relay_close_stream(struct lttcomm_relayd_hdr *recv_hdr,
 end_unlock:
 	rcu_read_unlock();
 
+	memset(&reply, 0, sizeof(reply));
 	if (ret < 0) {
 		reply.ret_code = htobe32(LTTNG_ERR_UNK);
 	} else {
@@ -1367,6 +1369,7 @@ void relay_unknown_command(struct relay_connection *conn)
 	struct lttcomm_relayd_generic_reply reply;
 	int ret;
 
+	memset(&reply, 0, sizeof(reply));
 	reply.ret_code = htobe32(LTTNG_ERR_UNK);
 	ret = conn->sock->ops->sendmsg(conn->sock, &reply,
 			sizeof(struct lttcomm_relayd_generic_reply), 0);
@@ -1392,6 +1395,7 @@ int relay_start(struct lttcomm_relayd_hdr *recv_hdr,
 		ret = htobe32(LTTNG_ERR_UNK);
 	}
 
+	memset(&reply, 0, sizeof(reply));
 	reply.ret_code = ret;
 	ret = conn->sock->ops->sendmsg(conn->sock, &reply,
 			sizeof(struct lttcomm_relayd_generic_reply), 0);
@@ -1553,6 +1557,7 @@ int relay_send_version(struct lttcomm_relayd_hdr *recv_hdr,
 		goto end;
 	}
 
+	memset(&reply, 0, sizeof(reply));
 	reply.major = RELAYD_VERSION_COMM_MAJOR;
 	reply.minor = RELAYD_VERSION_COMM_MINOR;
 
@@ -1652,6 +1657,7 @@ int relay_data_pending(struct lttcomm_relayd_hdr *recv_hdr,
 end_unlock:
 	rcu_read_unlock();
 
+	memset(&reply, 0, sizeof(reply));
 	reply.ret_code = htobe32(ret);
 	ret = conn->sock->ops->sendmsg(conn->sock, &reply, sizeof(reply), 0);
 	if (ret < 0) {
@@ -1715,6 +1721,7 @@ int relay_quiescent_control(struct lttcomm_relayd_hdr *recv_hdr,
 	}
 	rcu_read_unlock();
 
+	memset(&reply, 0, sizeof(reply));
 	reply.ret_code = htobe32(LTTNG_OK);
 	ret = conn->sock->ops->sendmsg(conn->sock, &reply, sizeof(reply), 0);
 	if (ret < 0) {
@@ -1785,6 +1792,7 @@ int relay_begin_data_pending(struct lttcomm_relayd_hdr *recv_hdr,
 	}
 	rcu_read_unlock();
 
+	memset(&reply, 0, sizeof(reply));
 	/* All good, send back reply. */
 	reply.ret_code = htobe32(LTTNG_OK);
 
@@ -1858,6 +1866,7 @@ int relay_end_data_pending(struct lttcomm_relayd_hdr *recv_hdr,
 	}
 	rcu_read_unlock();
 
+	memset(&reply, 0, sizeof(reply));
 	/* All good, send back reply. */
 	reply.ret_code = htobe32(is_data_inflight);
 
@@ -1976,6 +1985,7 @@ int relay_recv_index(struct lttcomm_relayd_hdr *recv_hdr,
 end_rcu_unlock:
 	rcu_read_unlock();
 
+	memset(&reply, 0, sizeof(reply));
 	if (ret < 0) {
 		reply.ret_code = htobe32(LTTNG_ERR_UNK);
 	} else {
@@ -2026,6 +2036,7 @@ int relay_streams_sent(struct lttcomm_relayd_hdr *recv_hdr,
 		uatomic_set(&conn->session->new_streams, 1);
 	}
 
+	memset(&reply, 0, sizeof(reply));
 	reply.ret_code = htobe32(LTTNG_OK);
 	send_ret = conn->sock->ops->sendmsg(conn->sock, &reply, sizeof(reply), 0);
 	if (send_ret < 0) {
diff --git a/src/bin/lttng-sessiond/consumer.c b/src/bin/lttng-sessiond/consumer.c
index 8806e9c32..ce3e5da9a 100644
--- a/src/bin/lttng-sessiond/consumer.c
+++ b/src/bin/lttng-sessiond/consumer.c
@@ -207,6 +207,7 @@ int consumer_send_destroy_relayd(struct consumer_socket *sock,
 
 	DBG2("Sending destroy relayd command to consumer sock %d", *sock->fd_ptr);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.cmd_type = LTTNG_CONSUMER_DESTROY_RELAYD;
 	msg.u.destroy_relayd.net_seq_idx = consumer->net_seq_index;
 
@@ -965,6 +966,7 @@ int consumer_send_relayd_socket(struct consumer_socket *consumer_sock,
 	assert(consumer);
 	assert(consumer_sock);
 
+	memset(&msg, 0, sizeof(msg));
 	/* Bail out if consumer is disabled */
 	if (!consumer->enabled) {
 		ret = LTTNG_OK;
@@ -1078,12 +1080,12 @@ int consumer_is_data_pending(uint64_t session_id,
 
 	assert(consumer);
 
-	msg.cmd_type = LTTNG_CONSUMER_DATA_PENDING;
+	DBG3("Consumer data pending for id %" PRIu64, session_id);
 
+	memset(&msg, 0, sizeof(msg));
+	msg.cmd_type = LTTNG_CONSUMER_DATA_PENDING;
 	msg.u.data_pending.session_id = session_id;
 
-	DBG3("Consumer data pending for id %" PRIu64, session_id);
-
 	/* Send command for each consumer */
 	rcu_read_lock();
 	cds_lfht_for_each_entry(consumer->socks->ht, &iter.iter, socket,
@@ -1136,6 +1138,7 @@ int consumer_flush_channel(struct consumer_socket *socket, uint64_t key)
 
 	DBG2("Consumer flush channel key %" PRIu64, key);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.cmd_type = LTTNG_CONSUMER_FLUSH_CHANNEL;
 	msg.u.flush_channel.key = key;
 
@@ -1168,6 +1171,7 @@ int consumer_close_metadata(struct consumer_socket *socket,
 
 	DBG2("Consumer close metadata channel key %" PRIu64, metadata_key);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.cmd_type = LTTNG_CONSUMER_CLOSE_METADATA;
 	msg.u.close_metadata.key = metadata_key;
 
@@ -1200,6 +1204,7 @@ int consumer_setup_metadata(struct consumer_socket *socket,
 
 	DBG2("Consumer setup metadata channel key %" PRIu64, metadata_key);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.cmd_type = LTTNG_CONSUMER_SETUP_METADATA;
 	msg.u.setup_metadata.key = metadata_key;
 
@@ -1233,6 +1238,7 @@ int consumer_push_metadata(struct consumer_socket *socket,
 
 	DBG2("Consumer push metadata to consumer socket %d", *socket->fd_ptr);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.cmd_type = LTTNG_CONSUMER_PUSH_METADATA;
 	msg.u.push_metadata.key = metadata_key;
 	msg.u.push_metadata.target_offset = target_offset;
diff --git a/src/bin/lttng-sessiond/jul.c b/src/bin/lttng-sessiond/jul.c
index 7b603cf25..3c251998e 100644
--- a/src/bin/lttng-sessiond/jul.c
+++ b/src/bin/lttng-sessiond/jul.c
@@ -67,6 +67,7 @@ static int send_header(struct lttcomm_sock *sock, uint64_t data_size,
 
 	assert(sock);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.data_size = htobe64(data_size);
 	msg.cmd = htobe32(cmd);
 	msg.cmd_version = htobe32(cmd_version);
@@ -248,6 +249,7 @@ static int enable_event(struct jul_app *app, struct jul_event *event)
 		goto error_io;
 	}
 
+	memset(&msg, 0, sizeof(msg));
 	msg.loglevel = event->loglevel;
 	msg.loglevel_type = event->loglevel_type;
 	strncpy(msg.name, event->name, sizeof(msg.name));
@@ -309,6 +311,7 @@ static int disable_event(struct jul_app *app, struct jul_event *event)
 		goto error_io;
 	}
 
+	memset(&msg, 0, sizeof(msg));
 	strncpy(msg.name, event->name, sizeof(msg.name));
 	ret = send_payload(app->sock, &msg, sizeof(msg));
 	if (ret < 0) {
@@ -443,24 +446,30 @@ int jul_list_events(struct lttng_event **events)
 			goto error_unlock;
 		}
 
-		if (count >= nbmem) {
+		if (count + nb_ev > nbmem) {
 			/* In case the realloc fails, we free the memory */
-			void *ptr;
-
-			DBG2("Reallocating JUL event list from %zu to %zu entries", nbmem,
-					2 * nbmem);
-			nbmem *= 2;
-			ptr = realloc(tmp_events, nbmem * sizeof(*tmp_events));
-			if (!ptr) {
+			struct lttng_event *new_tmp_events;
+			size_t new_nbmem;
+
+			new_nbmem = max_t(size_t, count + nb_ev, nbmem << 1);
+			DBG2("Reallocating JUL event list from %zu to %zu entries",
+					nbmem, new_nbmem);
+			new_tmp_events = realloc(tmp_events,
+				new_nbmem * sizeof(*new_tmp_events));
+			if (!new_tmp_events) {
 				PERROR("realloc JUL events");
 				ret = -ENOMEM;
 				free(jul_events);
 				goto error_unlock;
 			}
-			tmp_events = ptr;
+			/* Zero the new memory */
+			memset(new_tmp_events + nbmem, 0,
+				(new_nbmem - nbmem) * sizeof(*new_tmp_events));
+			nbmem = new_nbmem;
+			tmp_events = new_tmp_events;
 		}
-		memcpy(tmp_events + (count * sizeof(*tmp_events)), jul_events,
-				nb_ev * sizeof(*tmp_events));
+		memcpy(tmp_events + count, jul_events,
+			nb_ev * sizeof(*tmp_events));
 		free(jul_events);
 		count += nb_ev;
 	}
diff --git a/src/bin/lttng-sessiond/kernel-consumer.c b/src/bin/lttng-sessiond/kernel-consumer.c
index 415361274..38820af38 100644
--- a/src/bin/lttng-sessiond/kernel-consumer.c
+++ b/src/bin/lttng-sessiond/kernel-consumer.c
@@ -105,7 +105,7 @@ int kernel_consumer_add_channel(struct consumer_socket *sock,
 		}
 	} else {
 		/* Empty path. */
-		pathname = "";
+		pathname = strdup("");
 	}
 
 	/* Prep channel message structure */
@@ -136,6 +136,7 @@ int kernel_consumer_add_channel(struct consumer_socket *sock,
 	health_code_update();
 
 error:
+	free(pathname);
 	return ret;
 }
 
@@ -168,7 +169,7 @@ int kernel_consumer_add_metadata(struct consumer_socket *sock,
 		}
 	} else {
 		/* Empty path. */
-		pathname = "";
+		pathname = strdup("");
 	}
 
 	/* Prep channel message structure */
@@ -215,6 +216,7 @@ int kernel_consumer_add_metadata(struct consumer_socket *sock,
 	health_code_update();
 
 error:
+	free(pathname);
 	return ret;
 }
 
@@ -419,6 +421,7 @@ int kernel_consumer_destroy_channel(struct consumer_socket *socket,
 
 	DBG("Sending kernel consumer destroy channel key %d", channel->fd);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.cmd_type = LTTNG_CONSUMER_DESTROY_CHANNEL;
 	msg.u.destroy_channel.key = channel->fd;
 
@@ -447,6 +450,7 @@ int kernel_consumer_destroy_metadata(struct consumer_socket *socket,
 
 	DBG("Sending kernel consumer destroy channel key %d", metadata->fd);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.cmd_type = LTTNG_CONSUMER_DESTROY_CHANNEL;
 	msg.u.destroy_channel.key = metadata->fd;
 
diff --git a/src/bin/lttng-sessiond/kernel.c b/src/bin/lttng-sessiond/kernel.c
index 9e7826808..b6b24a5a2 100644
--- a/src/bin/lttng-sessiond/kernel.c
+++ b/src/bin/lttng-sessiond/kernel.c
@@ -602,7 +602,7 @@ error:
  */
 ssize_t kernel_list_events(int tracer_fd, struct lttng_event **events)
 {
-	int fd, pos, ret;
+	int fd, ret;
 	char *event;
 	size_t nbmem, count = 0;
 	FILE *fp;
@@ -634,15 +634,15 @@ ssize_t kernel_list_events(int tracer_fd, struct lttng_event **events)
 		goto end;
 	}
 
-	while (fscanf(fp, "event { name = %m[^;]; };%n\n", &event, &pos) == 1) {
+	while (fscanf(fp, "event { name = %m[^;]; };\n", &event) == 1) {
 		if (count >= nbmem) {
 			struct lttng_event *new_elist;
+			size_t new_nbmem;
 
-			DBG("Reallocating event list from %zu to %zu bytes", nbmem,
-					nbmem * 2);
-			/* Double the size */
-			nbmem <<= 1;
-			new_elist = realloc(elist, nbmem * sizeof(struct lttng_event));
+			new_nbmem = nbmem << 1;
+			DBG("Reallocating event list from %zu to %zu bytes",
+					nbmem, new_nbmem);
+			new_elist = realloc(elist, new_nbmem * sizeof(struct lttng_event));
 			if (new_elist == NULL) {
 				PERROR("realloc list events");
 				free(event);
@@ -650,6 +650,10 @@ ssize_t kernel_list_events(int tracer_fd, struct lttng_event **events)
 				count = -ENOMEM;
 				goto end;
 			}
+			/* Zero the new memory */
+			memset(new_elist + nbmem, 0,
+				(new_nbmem - nbmem) * sizeof(struct lttng_event));
+			nbmem = new_nbmem;
 			elist = new_elist;
 		}
 		strncpy(elist[count].name, event, LTTNG_SYMBOL_NAME_LEN);
diff --git a/src/bin/lttng-sessiond/main.c b/src/bin/lttng-sessiond/main.c
index c3f564dce..f0aaf73b0 100644
--- a/src/bin/lttng-sessiond/main.c
+++ b/src/bin/lttng-sessiond/main.c
@@ -3734,7 +3734,7 @@ restart:
 
 		rcu_thread_online();
 
-		reply.ret_code = 0;
+		memset(&reply, 0, sizeof(reply));
 		for (i = 0; i < NR_HEALTH_SESSIOND_TYPES; i++) {
 			/*
 			 * health_check_state returns 0 if health is
diff --git a/src/bin/lttng-sessiond/snapshot.c b/src/bin/lttng-sessiond/snapshot.c
index 6b1aa8db1..8faf9a76a 100644
--- a/src/bin/lttng-sessiond/snapshot.c
+++ b/src/bin/lttng-sessiond/snapshot.c
@@ -24,6 +24,7 @@
 #include <common/defaults.h>
 
 #include "snapshot.h"
+#include "utils.h"
 
 /*
  * Return the atomically incremented value of next_output_id.
@@ -321,4 +322,5 @@ void snapshot_destroy(struct snapshot *obj)
 		snapshot_output_destroy(output);
 	}
 	rcu_read_unlock();
+	ht_cleanup_push(obj->output_ht);
 }
diff --git a/src/bin/lttng-sessiond/ust-app.c b/src/bin/lttng-sessiond/ust-app.c
index 34d4c9b15..c32bf2b68 100644
--- a/src/bin/lttng-sessiond/ust-app.c
+++ b/src/bin/lttng-sessiond/ust-app.c
@@ -3144,19 +3144,25 @@ int ust_app_list_events(struct lttng_event **events)
 			health_code_update();
 			if (count >= nbmem) {
 				/* In case the realloc fails, we free the memory */
-				void *ptr;
-
-				DBG2("Reallocating event list from %zu to %zu entries", nbmem,
-						2 * nbmem);
-				nbmem *= 2;
-				ptr = realloc(tmp_event, nbmem * sizeof(struct lttng_event));
-				if (ptr == NULL) {
+				struct lttng_event *new_tmp_event;
+				size_t new_nbmem;
+
+				new_nbmem = nbmem << 1;
+				DBG2("Reallocating event list from %zu to %zu entries",
+						nbmem, new_nbmem);
+				new_tmp_event = realloc(tmp_event,
+					new_nbmem * sizeof(struct lttng_event));
+				if (new_tmp_event == NULL) {
 					PERROR("realloc ust app events");
 					free(tmp_event);
 					ret = -ENOMEM;
 					goto rcu_error;
 				}
-				tmp_event = ptr;
+				/* Zero the new memory */
+				memset(new_tmp_event + nbmem, 0,
+					(new_nbmem - nbmem) * sizeof(struct lttng_event));
+				nbmem = new_nbmem;
+				tmp_event = new_tmp_event;
 			}
 			memcpy(tmp_event[count].name, uiter.name, LTTNG_UST_SYM_NAME_LEN);
 			tmp_event[count].loglevel = uiter.loglevel;
@@ -3244,19 +3250,25 @@ int ust_app_list_event_fields(struct lttng_event_field **fields)
 			health_code_update();
 			if (count >= nbmem) {
 				/* In case the realloc fails, we free the memory */
-				void *ptr;
-
-				DBG2("Reallocating event field list from %zu to %zu entries", nbmem,
-						2 * nbmem);
-				nbmem *= 2;
-				ptr = realloc(tmp_event, nbmem * sizeof(struct lttng_event_field));
-				if (ptr == NULL) {
+				struct lttng_event_field *new_tmp_event;
+				size_t new_nbmem;
+
+				new_nbmem = nbmem << 1;
+				DBG2("Reallocating event field list from %zu to %zu entries",
+						nbmem, new_nbmem);
+				new_tmp_event = realloc(tmp_event,
+					new_nbmem * sizeof(struct lttng_event_field));
+				if (new_tmp_event == NULL) {
 					PERROR("realloc ust app event fields");
 					free(tmp_event);
 					ret = -ENOMEM;
 					goto rcu_error;
 				}
-				tmp_event = ptr;
+				/* Zero the new memory */
+				memset(new_tmp_event + nbmem, 0,
+					(new_nbmem - nbmem) * sizeof(struct lttng_event_field));
+				nbmem = new_nbmem;
+				tmp_event = new_tmp_event;
 			}
 
 			memcpy(tmp_event[count].field_name, uiter.field_name, LTTNG_UST_SYM_NAME_LEN);
diff --git a/src/bin/lttng-sessiond/ust-consumer.c b/src/bin/lttng-sessiond/ust-consumer.c
index b0a52b33a..9715c426f 100644
--- a/src/bin/lttng-sessiond/ust-consumer.c
+++ b/src/bin/lttng-sessiond/ust-consumer.c
@@ -250,6 +250,7 @@ int ust_consumer_get_channel(struct consumer_socket *socket,
 	assert(ua_chan);
 	assert(socket);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.cmd_type = LTTNG_CONSUMER_GET_CHANNEL;
 	msg.u.get_channel.key = ua_chan->key;
 
@@ -344,6 +345,7 @@ int ust_consumer_destroy_channel(struct consumer_socket *socket,
 	assert(ua_chan);
 	assert(socket);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.cmd_type = LTTNG_CONSUMER_DESTROY_CHANNEL;
 	msg.u.destroy_channel.key = ua_chan->key;
 
@@ -469,6 +471,7 @@ int ust_consumer_metadata_request(struct consumer_socket *socket)
 			DBG("PID registry not found for session id %" PRIu64,
 					request.session_id_per_pid);
 
+			memset(&msg, 0, sizeof(msg));
 			msg.cmd_type = LTTNG_ERR_UND;
 			(void) consumer_send_msg(socket, &msg);
 			/*
diff --git a/src/common/compat/compat-epoll.c b/src/common/compat/compat-epoll.c
index 25c995504..ecd09a092 100644
--- a/src/common/compat/compat-epoll.c
+++ b/src/common/compat/compat-epoll.c
@@ -51,6 +51,11 @@ static int resize_poll_event(struct lttng_poll_event *events,
 		PERROR("realloc epoll add");
 		goto error;
 	}
+	if (new_size > events->alloc_size) {
+		/* Zero newly allocated memory */
+		memset(ptr + events->alloc_size, 0,
+			(new_size - events->alloc_size) * sizeof(*ptr));
+	}
 	events->events = ptr;
 	events->alloc_size = new_size;
 
@@ -119,6 +124,11 @@ int compat_epoll_add(struct lttng_poll_event *events, int fd, uint32_t req_event
 		goto error;
 	}
 
+	/*
+	 * Zero struct epoll_event to ensure all representations of its
+	 * union are zeroed.
+	 */
+	memset(&ev, 0, sizeof(ev));
 	ev.events = req_events;
 	ev.data.fd = fd;
 
diff --git a/src/common/compat/compat-poll.c b/src/common/compat/compat-poll.c
index 79fcb7d65..4893768a0 100644
--- a/src/common/compat/compat-poll.c
+++ b/src/common/compat/compat-poll.c
@@ -52,6 +52,11 @@ static int resize_poll_event(struct compat_poll_event_array *array,
 		PERROR("realloc epoll add");
 		goto error;
 	}
+	if (new_size > array->alloc_size) {
+		/* Zero newly allocated memory */
+		memset(ptr + array->alloc_size, 0,
+			(new_size - array->alloc_size) * sizeof(*ptr));
+	}
 	array->events = ptr;
 	array->alloc_size = new_size;
 
diff --git a/src/common/consumer-metadata-cache.c b/src/common/consumer-metadata-cache.c
index d8f5001f8..0f086fe96 100644
--- a/src/common/consumer-metadata-cache.c
+++ b/src/common/consumer-metadata-cache.c
@@ -46,14 +46,13 @@ static int extend_metadata_cache(struct lttng_consumer_channel *channel,
 {
 	int ret = 0;
 	char *tmp_data_ptr;
-	unsigned int new_size;
+	unsigned int new_size, old_size;
 
 	assert(channel);
 	assert(channel->metadata_cache);
 
-	new_size = max_t(unsigned int,
-			channel->metadata_cache->cache_alloc_size + size,
-			channel->metadata_cache->cache_alloc_size << 1);
+	old_size = channel->metadata_cache->cache_alloc_size;
+	new_size = max_t(unsigned int, old_size + size, old_size << 1);
 	DBG("Extending metadata cache to %u", new_size);
 	tmp_data_ptr = realloc(channel->metadata_cache->data, new_size);
 	if (!tmp_data_ptr) {
@@ -62,6 +61,8 @@ static int extend_metadata_cache(struct lttng_consumer_channel *channel,
 		ret = -1;
 		goto end;
 	}
+	/* Zero newly allocated memory */
+	memset(tmp_data_ptr + old_size, 0, new_size - old_size);
 	channel->metadata_cache->data = tmp_data_ptr;
 	channel->metadata_cache->cache_alloc_size = new_size;
 
diff --git a/src/common/consumer.c b/src/common/consumer.c
index 821a04e3d..c842de935 100644
--- a/src/common/consumer.c
+++ b/src/common/consumer.c
@@ -3613,6 +3613,7 @@ int consumer_send_status_msg(int sock, int ret_code)
 {
 	struct lttcomm_consumer_status_msg msg;
 
+	memset(&msg, 0, sizeof(msg));
 	msg.ret_code = ret_code;
 
 	return lttcomm_send_unix_sock(sock, &msg, sizeof(msg));
@@ -3630,6 +3631,7 @@ int consumer_send_status_channel(int sock,
 
 	assert(sock >= 0);
 
+	memset(&msg, 0, sizeof(msg));
 	if (!channel) {
 		msg.ret_code = LTTCOMM_CONSUMERD_CHANNEL_FAIL;
 	} else {
diff --git a/src/common/relayd/relayd.c b/src/common/relayd/relayd.c
index ccb23c065..3de19c280 100644
--- a/src/common/relayd/relayd.c
+++ b/src/common/relayd/relayd.c
@@ -57,6 +57,7 @@ static int send_command(struct lttcomm_relayd_sock *rsock,
 		goto alloc_error;
 	}
 
+	memset(&header, 0, sizeof(header));
 	header.cmd = htobe32(cmd);
 	header.data_size = htobe64(size);
 
@@ -244,6 +245,7 @@ int relayd_add_stream(struct lttcomm_relayd_sock *rsock, const char *channel_nam
 
 	/* Compat with relayd 2.1 */
 	if (rsock->minor == 1) {
+		memset(&msg, 0, sizeof(msg));
 		strncpy(msg.channel_name, channel_name, sizeof(msg.channel_name));
 		strncpy(msg.pathname, pathname, sizeof(msg.pathname));
 
@@ -253,6 +255,7 @@ int relayd_add_stream(struct lttcomm_relayd_sock *rsock, const char *channel_nam
 			goto error;
 		}
 	} else {
+		memset(&msg_2_2, 0, sizeof(msg_2_2));
 		/* Compat with relayd 2.2+ */
 		strncpy(msg_2_2.channel_name, channel_name, sizeof(msg_2_2.channel_name));
 		strncpy(msg_2_2.pathname, pathname, sizeof(msg_2_2.pathname));
@@ -364,6 +367,7 @@ int relayd_version_check(struct lttcomm_relayd_sock *rsock)
 	DBG("Relayd version check for major.minor %u.%u", rsock->major,
 			rsock->minor);
 
+	memset(&msg, 0, sizeof(msg));
 	/* Prepare network byte order before transmission. */
 	msg.major = htobe32(rsock->major);
 	msg.minor = htobe32(rsock->minor);
@@ -565,6 +569,7 @@ int relayd_send_close_stream(struct lttcomm_relayd_sock *rsock, uint64_t stream_
 
 	DBG("Relayd closing stream id %" PRIu64, stream_id);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.stream_id = htobe64(stream_id);
 	msg.last_net_seq_num = htobe64(last_net_seq_num);
 
@@ -614,6 +619,7 @@ int relayd_data_pending(struct lttcomm_relayd_sock *rsock, uint64_t stream_id,
 
 	DBG("Relayd data pending for stream id %" PRIu64, stream_id);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.stream_id = htobe64(stream_id);
 	msg.last_net_seq_num = htobe64(last_net_seq_num);
 
@@ -662,6 +668,7 @@ int relayd_quiescent_control(struct lttcomm_relayd_sock *rsock,
 
 	DBG("Relayd checking quiescent control state");
 
+	memset(&msg, 0, sizeof(msg));
 	msg.stream_id = htobe64(metadata_stream_id);
 
 	/* Send command */
@@ -706,6 +713,7 @@ int relayd_begin_data_pending(struct lttcomm_relayd_sock *rsock, uint64_t id)
 
 	DBG("Relayd begin data pending");
 
+	memset(&msg, 0, sizeof(msg));
 	msg.session_id = htobe64(id);
 
 	/* Send command */
@@ -753,6 +761,7 @@ int relayd_end_data_pending(struct lttcomm_relayd_sock *rsock, uint64_t id,
 
 	DBG("Relayd end data pending");
 
+	memset(&msg, 0, sizeof(msg));
 	msg.session_id = htobe64(id);
 
 	/* Send command */
@@ -805,6 +814,7 @@ int relayd_send_index(struct lttcomm_relayd_sock *rsock,
 
 	DBG("Relayd sending index for stream ID %" PRIu64, relay_stream_id);
 
+	memset(&msg, 0, sizeof(msg));
 	msg.relay_stream_id = htobe64(relay_stream_id);
 	msg.net_seq_num = htobe64(net_seq_num);
 
diff --git a/src/common/ust-consumer/ust-consumer.c b/src/common/ust-consumer/ust-consumer.c
index b48a3c821..07073260f 100644
--- a/src/common/ust-consumer/ust-consumer.c
+++ b/src/common/ust-consumer/ust-consumer.c
@@ -2212,6 +2212,8 @@ int lttng_ustconsumer_request_metadata(struct lttng_consumer_local_data *ctx,
 	assert(channel);
 	assert(channel->metadata_cache);
 
+	memset(&request, 0, sizeof(request));
+
 	/* send the metadata request to sessiond */
 	switch (consumer_data.type) {
 	case LTTNG_CONSUMER64_UST:
diff --git a/src/lib/lttng-ctl/lttng-ctl-health.c b/src/lib/lttng-ctl/lttng-ctl-health.c
index c78e0dcd9..ba9aac05a 100644
--- a/src/lib/lttng-ctl/lttng-ctl-health.c
+++ b/src/lib/lttng-ctl/lttng-ctl-health.c
@@ -272,6 +272,7 @@ retry:
 		goto error;
 	}
 
+	memset(&msg, 0, sizeof(msg));
 	msg.cmd = HEALTH_CMD_CHECK;
 
 	ret = lttcomm_send_unix_sock(sock, (void *)&msg, sizeof(msg));
diff --git a/src/lib/lttng-ctl/lttng-ctl.c b/src/lib/lttng-ctl/lttng-ctl.c
index 7d06c7a0c..94f075b46 100644
--- a/src/lib/lttng-ctl/lttng-ctl.c
+++ b/src/lib/lttng-ctl/lttng-ctl.c
@@ -520,6 +520,7 @@ int lttng_register_consumer(struct lttng_handle *handle,
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_REGISTER_CONSUMER;
 	lttng_ctl_copy_string(lsm.session.name, handle->session_name,
 			sizeof(lsm.session.name));
@@ -542,6 +543,7 @@ int lttng_start_tracing(const char *session_name)
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_START_TRACE;
 
 	lttng_ctl_copy_string(lsm.session.name, session_name,
@@ -562,6 +564,7 @@ static int _lttng_stop_tracing(const char *session_name, int wait)
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_STOP_TRACE;
 
 	lttng_ctl_copy_string(lsm.session.name, session_name,
@@ -1004,6 +1007,7 @@ int lttng_list_tracepoints(struct lttng_handle *handle,
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_LIST_TRACEPOINTS;
 	lttng_ctl_copy_lttng_domain(&lsm.domain, &handle->domain);
 
@@ -1031,6 +1035,7 @@ int lttng_list_tracepoint_fields(struct lttng_handle *handle,
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_LIST_TRACEPOINT_FIELDS;
 	lttng_ctl_copy_lttng_domain(&lsm.domain, &handle->domain);
 
@@ -1099,6 +1104,7 @@ int lttng_destroy_session(const char *session_name)
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_DESTROY_SESSION;
 
 	lttng_ctl_copy_string(lsm.session.name, session_name,
@@ -1118,6 +1124,7 @@ int lttng_list_sessions(struct lttng_session **sessions)
 	int ret;
 	struct lttcomm_session_msg lsm;
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_LIST_SESSIONS;
 	ret = lttng_ctl_ask_sessiond(&lsm, (void**) sessions);
 	if (ret < 0) {
@@ -1143,6 +1150,7 @@ int lttng_list_domains(const char *session_name,
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_LIST_DOMAINS;
 
 	lttng_ctl_copy_string(lsm.session.name, session_name,
@@ -1172,6 +1180,7 @@ int lttng_list_channels(struct lttng_handle *handle,
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_LIST_CHANNELS;
 	lttng_ctl_copy_string(lsm.session.name, handle->session_name,
 			sizeof(lsm.session.name));
@@ -1203,6 +1212,7 @@ int lttng_list_events(struct lttng_handle *handle,
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_LIST_EVENTS;
 	lttng_ctl_copy_string(lsm.session.name, handle->session_name,
 			sizeof(lsm.session.name));
@@ -1250,6 +1260,7 @@ int lttng_calibrate(struct lttng_handle *handle,
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_CALIBRATE;
 	lttng_ctl_copy_lttng_domain(&lsm.domain, &handle->domain);
 
@@ -1480,6 +1491,7 @@ int lttng_data_pending(const char *session_name)
 		return -LTTNG_ERR_INVALID;
 	}
 
+	memset(&lsm, 0, sizeof(lsm));
 	lsm.cmd_type = LTTNG_DATA_PENDING;
 
 	lttng_ctl_copy_string(lsm.session.name, session_name,
-- 
2.34.1