>>>>> On Wed, 24 Dec 2025 06:07:33 +0100, Marcin Haba said: > > On Tue, 23 Dec 2025 at 21:46, Martin Simmons <[email protected]> wrote: > > Note that value=0xaaaaaaaaaaaaaaaa, which is a pattern glibc puts in freed > > memory, so looks like a use-after-free bug. This is the value of > > user->host() > > at the end of handle_UA_client_request, but its not clear how that would be > > freed. > > Hello Everybody, > > I can be wrong but for me it looks like a possible problem in > bvsnprintf() function. > > In this output: > > #4 0x00007ff005024d59 in fmtstr (buffer=buffer@entry=0x7fefcc00f890 > "Disconnection from 226.144.140:9101", currlen=currlen@entry=19, > maxlen=maxlen@entry=512, value=0xaaaaaaaaaaaaaaaa <error: Cannot > access memory at address 0xaaaaaaaaaaaaaaaa>, flags=0, min=0, max=512) > at /usr/src/debug/bacula-15.0.3-3.el9.x86_64/src/lib/bsnprintf.c:462 > #5 0x00007ff005025995 in bvsnprintf > (buffer=buffer@entry=0x7fefcc00f890 "Disconnection from > 226.144.140:9101", maxlen=512, format=<optimized out>, > format@entry=0x55b590a39128 "Disconnection from %s:%d", > args=args@entry=0x7fefe9ffab10) at > /usr/src/debug/bacula-15.0.3-3.el9.x86_64/src/lib/bsnprintf.c:362 > > > the IP address looks to be incomplete (3 octets): "Disconnection from > 226.144.140:9101". > > The currlen=currlen@entry=19 indicates to position 19 which is the > start position of the IP address: "Disconnection from "
Yes, so I think that means it hasn't copied the IP address into the buffer yet. It calls fmtstr to copy it, which is where we see the argument value=0xaaaaaaaaaaaaaaaa and the crash. Unfortunately, gdb doesn't show the varargs passed to bvsnprintf, so we can only assume that it was passed 0xaaaaaaaaaaaaaaaa for that argument. A likely explanation for the incomplete IP address is that we are seeing the old contents of the buffer from offset 19 onwards. I suspect the buffer was used previously for the "Connection from %s:%d" message near the start of handle_UA_client_request. If you overlay these two messages and assume that the first octet of the IP address has two digits, then offset 19 would refer to bbb.ccc.ddd:ppp before it is set by fmtstr: Connection from aa.bbb.ccc.ddd:ppp Disconnection from aa.bbb.ccc.ddd:ppp __Martin _______________________________________________ Bacula-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/bacula-users
