[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cfservd - Segfaults Almost Solved
|
From: |
Mark . Burgess |
|
Subject: |
Re: cfservd - Segfaults Almost Solved |
|
Date: |
Thu, 8 Apr 2004 11:07:27 +0200 (MEST) |
Thanks for this information. The correct resolution to this problem
is to test whether last is NULL.
The double free has been found and fixed.
I enclose a patched item-ext to 2.1.4 for convenience,
Do let me know whether this solves your problem with segfaulting.
thanks!
Mark
On 7 Apr, Ned Ludd wrote:
> Lance, Kurt.
>
> It looks like 'last' is NULL on line 709 last->next = ip->next; I would
> assume (not checked) that the code is supposed to have a last = (some
> type) malloc(sizeof(last/last[0])) thing going on elsewhere. I think
> this is the reason for the consonant segfaults. Some other debugging
> appears to also show it to be a double free, but I don't have that debug
> info handy. Anyway I have included what I think should be enough info
> for the author to take a closer look and hopefully release an updated
> version. If additional debugging information or a core file is needed
> they can be provided upon request.
>
> eagle root # uname -a
> Linux eagle 2.4.23-grsec-1.9.13 #1 Mon Dec 1 22:35:09 UTC 2003 i686
> Pentium III (Coppermine) GenuineIntel GNU/Linux
>
> eagle root # file `which cfservd`
> /usr/sbin/cfservd: ELF 32-bit LSB executable, Intel 80386, version 1
> (SYSV), for GNU/Linux 2.4.1, dynamically linked (uses shared libs), not
> stripped
>
> eagle root # gcc --version
> gcc (GCC) 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)
>
> eagle root # ld -v
> GNU ld version 2.14.90.0.7 20031029
>
> glibc-2.3.2-r9 without nls, nptl
>
> cfengine-2.1.3
>
> ------------------------------------------------------------------------
> strace output
> ------------------------------------------------------------------------
>
> [26b73211] select(6, [5], NULL, NULL, NULL) = 1 (in [5])
> [26a35a58] accept(5, {sin_family=AF_INET, sin_port=htons(54682),
> sin_addr=inet_addr("204.225.92.140")}}, [16]) = 3
> [26b344cd] time(NULL) = 1081386441
> [26ac8df4] rt_sigprocmask(SIG_SETMASK, NULL, [RTMIN], 8) = 0
> [26a357cb] write(6,
> "\240\200\243&\0\0\0\0\300\21\16\10`\313\4\10X\0\24\10\0"..., 148) = 148
> [26ac8df4] rt_sigprocmask(SIG_SETMASK, NULL, [RTMIN], 8) = 0
> [26a32854] rt_sigsuspend([] <unfinished ...>
> [26a32854] --- SIGRTMIN (Unknown signal 32) ---
> [26a321f0] <... rt_sigsuspend resumed> ) = -1 EINTR (Interrupted system
> call)
> [26ac8d70] sigreturn() = ? (mask now [RTMIN])
> [26b6b8a1] stat64("/var/cfengine/inputs/cfservd.conf",
> {st_dev=makedev(8, 2), st_ino=1629188, st_mode=S_IFREG|0644, st_nlink=1,
> st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=800,
> st_atime=2004/04/08-01:01:40, st_mtime=2004/04/08-01:01:14,
> st_ctime=2004/04/08-01:01:14}) = 0
> [26b73211] select(6, [5], NULL, NULL, NULL) = 1 (in [5])
> [26a35a58] accept(5, {sin_family=AF_INET, sin_port=htons(53690),
> sin_addr=inet_addr("198.63.211.235")}}, [16]) = 7
> [26b344cd] time(NULL) = 1081386441
> [26ac8df4] rt_sigprocmask(SIG_SETMASK, NULL, [RTMIN], 8) = 0
> [26a32854] rt_sigsuspend([] <unfinished ...>
> [26a32854] --- SIGRTMIN (Unknown signal 32) ---
> [26a321f0] <... rt_sigsuspend resumed> ) = -1 EINTR (Interrupted system
> call)
> [26ac8d70] sigreturn() = ? (mask now [RTMIN])
> [26ac8df4] rt_sigprocmask(SIG_SETMASK, NULL, [RTMIN], 8) = 0
> [26a357cb] write(6,
> "\240\200\243&\0\0\0\0\300\21\16\10`\313\4\10\200\371\25"..., 148) = 148
> [26ac8df4] rt_sigprocmask(SIG_SETMASK, NULL, [RTMIN], 8) = 0
> [26a32854] rt_sigsuspend([] <unfinished ...>
> [26a32854] --- SIGRTMIN (Unknown signal 32) ---
> [26a321f0] <... rt_sigsuspend resumed> ) = -1 EINTR (Interrupted system
> call)
> [26ac8d70] sigreturn() = ? (mask now [RTMIN])
> [26b73211] select(6, [5], NULL, NULL, NULL) = 1 (in [5])
> [26a35a58] accept(5, {sin_family=AF_INET, sin_port=htons(48041),
> sin_addr=inet_addr("204.225.92.140")}}, [16]) = 3
> [26b344cd] time(NULL) = 1081386442
> [26ac8df4] rt_sigprocmask(SIG_SETMASK, NULL, [RTMIN], 8) = 0
> [26a357cb] write(6,
> "\240\200\243&\0\0\0\0\300\21\16\10`\313\4\10\200\371\25"..., 148) = 148
> [26ac8df4] rt_sigprocmask(SIG_SETMASK, NULL, [RTMIN], 8) = 0
> [26a32854] rt_sigsuspend([] <unfinished ...>
> [26a32854] --- SIGSEGV (Segmentation fault) ---
>
> ------------------------------------------------------------------------
> gdb debugging info
> ------------------------------------------------------------------------
>
> (gdb) backtrace main
> #0 0x08069128 in DeleteItemGeneral (list=0x809cbc8, string=0x2c700cb0
> "134.68.220.74", type=regexComplete) at item-ext.c:709
> #1 0x080693e1 in DeleteItemMatching (list=0x2c702e38, string=0x2c702e38
> "") at item-ext.c:769
> #2 0x08051d9e in DeleteConn (conn=0x2c700490) at cfservd.c:3245
> #3 0x0804cc5c in HandleConnection (conn=0x2c700490) at cfservd.c:1118
> #4 0x2c14b060 in pthread_detach () from /lib/libpthread.so.0
> #5 0x2c294bfa in clone () from /lib/libc.so.6
>
>
>
>
> (gdb) bt full
> #0 0x08069128 in DeleteItemGeneral (list=0x809cbc8, string=0x2c700cb0
> "134.68.220.74", type=regexComplete) at item-ext.c:709
> ip = (struct Item *) 0x2c702e98
> last = (struct Item *) 0x0
> match = 1
> matchlen = 0
> rx = {buffer = 0x8197550 "\220m\031\b@q\031\b¸u\031\b\016", allocated =
> 96, used = 96, syntax = 242428, fastmap = 0x8197148 "Hu\031\b<ä.,",
> translate = 0x0, re_nsub = 0, can_be_null = 0, regs_allocated = 0,
> fastmap_accurate = 1, no_sub = 0, not_bol = 0, not_eol = 0,
> newline_anchor = 0}
> rxcache = {buffer = 0x8197550 "\220m\031\b@q\031\b¸u\031\b\016",
> allocated = 96, used = 96, syntax = 242428, fastmap = 0x8197148
> "Hu\031\b<ä.,",
> translate = 0x0, re_nsub = 0, can_be_null = 0, regs_allocated = 0,
> fastmap_accurate = 1, no_sub = 0, not_bol = 0, not_eol = 0,
> newline_anchor = 0}
> pmatch = {rm_so = 0, rm_eo = 13}
> #1 0x080693e1 in DeleteItemMatching (list=0x2c702e38, string=0x2c702e38
> "") at item-ext.c:769
> No locals.
> #2 0x08051d9e in DeleteConn (conn=0x2c700490) at cfservd.c:3245
> No locals.
> #3 0x0804cc5c in HandleConnection (conn=0x2c700490) at cfservd.c:1118
> sigmask = {__val = {0 <repeats 32 times>}}
> #4 0x2c14b060 in pthread_detach () from /lib/libpthread.so.0
> No symbol table info available.
> #5 0x2c294bfa in clone () from /lib/libc.so.6
> No symbol table info available.
>
> (gdb) disass $eip-0x20 $eip+0x2
> Dump of assembler code from 0x8069108 to 0x806912a:
> 0x08069108 <DeleteItemGeneral+232>: add $0x24,%al
> 0x0806910a <DeleteItemGeneral+234>: arpl %sp,(%esi)
> 0x0806910c <DeleteItemGeneral+236>: or %ecx,(%eax)
> 0x0806910e <DeleteItemGeneral+238>: mov %eax,0x4(%esp,1)
> 0x08069112 <DeleteItemGeneral+242>: call 0x804aad0
> 0x08069117 <DeleteItemGeneral+247>: mov 0x8(%ebp),%edx
> 0x0806911a <DeleteItemGeneral+250>: cmp (%edx),%esi
> 0x0806911c <DeleteItemGeneral+252>: je 0x806915f
> <DeleteItemGeneral+319>
> 0x0806911e <DeleteItemGeneral+254>: test %esi,%esi
> 0x08069120 <DeleteItemGeneral+256>: je 0x8069145
> <DeleteItemGeneral+293>
> 0x08069122 <DeleteItemGeneral+258>: mov 0x18(%esi),%eax
> 0x08069125 <DeleteItemGeneral+261>: mov 0xffffff9c(%ebp),%edx
> 0x08069128 <DeleteItemGeneral+264>: mov %eax,0x18(%edx)
> End of assembler dump.
>
>
> eagle src # cat -n item-ext.c | grep -n6 709 | head -10
> 703- 703 return true;
> 704- 704 }
> 705- 705 else
> 706- 706 {
> 707- 707 if (ip != NULL)
> 708- 708 {
> 709: 709 last->next = ip->next;
> 710- 710 free(ip->name);
> 711- 711 if (ip->classes != NULL)
> 712- 712 {
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
item-ext.c
Description: Text document
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: cfservd - Segfaults Almost Solved,
Mark . Burgess <=