Steve Beattie <[email protected]> writes:
> This is an issue for lsh-utils in Ubuntu as well. I attempted to
> manually reproduce the lsh-2-test failure and this is the backtrace I
> got when the lsh server segv'ed:
Thanks alot! This narrows it down quite a bit.
> (gdb) bt full
> #0 __strncpy_sse2_unaligned () at
> ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
> No locals.
> #1 0x00007fb1fe1ec0aa in ?? () from /lib/x86_64-linux-gnu/libwrap.so.0
> No symbol table info available.
> #2 0x00007fb1fe1ec2c9 in request_init () from
> /lib/x86_64-linux-gnu/libwrap.so.0
> No symbol table info available.
> #3 0x0000557c03c3abaa in do_tcp_wrapper (s=0x557c045eba20, a=0x557c045ec740,
> c=0x557c045ec7c0, e=<optimized out>) at io_commands.c:347
> lv = 0x557c045ec740
> res = {fd = -1, user = '\000' <repeats 127 times>, daemon =
> "unknown", '\000' <repeats 120 times>, pid = "15613\000\000\000\000", client
> = {{
> name = '\000' <repeats 127 times>, addr = '\000' <repeats 127
> times>, sin = 0x0, unit = 0x0, request = 0x7ffc87252000}}, server = {{
> name = '\000' <repeats 127 times>, addr = '\000' <repeats 127
> times>, sin = 0x0, unit = 0x0, request = 0x7ffc87252000}}, sink = 0x0,
> hostname = 0x0, hostaddr = 0x0, cleanup = 0x0, config = 0x0}
> #4 0x0000557c03c382ab in do_listen_callback (s=0x557c045ec370, fd=<optimized
> out>) at io.c:769
> self = 0x557c045ec370
> peer = {ss_family = 2,
> __ss_padding = "\266\n\177\000\000\001", '\000' <repeats 16 times>,
> "\a\000\000\000\000\000\000\000\201J\305\003|U\000\000\360\303^\004|U",
> '\000' <repeats 18 times>, "\001", '\000' <repeats 15 times>,
> "\360$%\207\374\177\000\000\001\000\000\000\000\000\000\000\003\000\000\000\374\177\000\000$\000\000\000\000\000\000\000\b\000\000\000\000\000\000",
> __ss_align = 140722575844800}
> addr_len = 16
> conn = <optimized out>
I see nothing obviously wrong here, except that I don't understand where
gdb picks up the peer, addr_len and conn variables at the end.
I would probably be helpful to add a break point on do_tcp_wrapper and
examine the variables.
Assuming that the bug is not inside tcpwrappers itself, I think the most
likely way this can crash is if the service name,
lsh_get_cstring(self->name), is NULL when passed to request_init, since
that's the only pointer argument to the function. It shouldn't be NULL,
of course.
I see one other odd thing when reading this code. The UNUSED declaration
of the first argument is wrong; maybe recent gcc omits code related to
that argument? You could try deleting that, and see if it makes a
difference.
It may also be useful to run lshd under valgrind, in case the crash is
caused by some earlier invalid memory accesses.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
