Package: cpqarrayd
Version: 2.2-3
Severity: important
Tags: patch
When trying to install and start cpqarrayd, it failed with segfault.
This is a valgrind run using a non-stripped package:
nos06ts001:~# valgrind cpqarrayd
==12382== Memcheck, a memory error detector.
==12382== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==12382== Using LibVEX rev 1658, a library for dynamic binary translation.
==12382== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==12382== Using valgrind-3.2.1-Debian, a dynamic binary instrumentation
framework.
==12382== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==12382== For more details, rerun with: -v
==12382==
Checking for controllers..
==12382== Syscall param ioctl(generic) points to uninitialised byte(s)
==12382== at 0x4000792: (within /lib/ld-2.3.6.so)
==12382== by 0x80494BA: cciss_interrogate_controller (discover.c:301)
==12382== by 0x8049DB2: discover_controllers (discover.c:113)
==12382== by 0x8049042: main (cpqarrayd.c:179)
==12382== Address 0xBE909808 is on thread 1's stack
==12382==
==12382== Syscall param ioctl(generic) points to uninitialised byte(s)
==12382== at 0x4000792: (within /lib/ld-2.3.6.so)
==12382== by 0x80495C3: cciss_interrogate_controller (discover.c:323)
==12382== by 0x8049DB2: discover_controllers (discover.c:113)
==12382== by 0x8049042: main (cpqarrayd.c:179)
==12382== Address 0xBE909809 is on thread 1's stack
DEBUG: Discarding old event 5/0/0
==12382==
==12382== Syscall param ioctl(generic) points to uninitialised byte(s)
==12382== at 0x4000792: (within /lib/ld-2.3.6.so)
==12382== by 0x80495FD: cciss_interrogate_controller (discover.c:327)
==12382== by 0x8049DB2: discover_controllers (discover.c:113)
==12382== by 0x8049042: main (cpqarrayd.c:179)
==12382== Address 0xBE909809 is on thread 1's stack
DEBUG: Discarding old event 5/0/0
DEBUG: Discarding old event 5/0/0
DEBUG: Discarding old event 5/2/0
Done
Monitoring list
[ 0] Controller type 'CCISS Controller' at /dev/cciss/c0d0
==12382==
==12382== Invalid read of size 4
==12382== at 0x80490D9: main (cpqarrayd.c:201)
==12382== Address 0x10 is not stack'd, malloc'd or (recently) free'd
==12382==
==12382== Process terminating with default action of signal 11 (SIGSEGV)
==12382== Access not within mapped region at address 0x10
==12382== at 0x80490D9: main (cpqarrayd.c:201)
==12382==
==12382== ERROR SUMMARY: 7 errors from 4 contexts (suppressed: 19 from 1)
==12382== malloc/free: in use at exit: 98 bytes in 3 blocks.
==12382== malloc/free: 6 allocs, 3 frees, 1,490 bytes allocated.
==12382== For counts of detected errors, rerun with: -v
==12382== searching for pointers to 3 not-freed blocks.
==12382== checked 308,284 bytes.
==12382==
==12382== LEAK SUMMARY:
==12382== definitely lost: 0 bytes in 0 blocks.
==12382== possibly lost: 0 bytes in 0 blocks.
==12382== still reachable: 98 bytes in 3 blocks.
==12382== suppressed: 0 bytes in 0 blocks.
==12382== Reachable blocks (those to which a pointer was found) are not shown.
==12382== To see them, rerun with: --show-reachable=yes
Segmentation fault
nos06ts001:~#
Looking at the source, it is obvious that the problem is with the
return value from gethostbyname() not being checked. This patch solve
the issue:
diff -Nru /tmp/ef1DJ7JSQ9/cpqarrayd-2.2/cpqarrayd.c
/tmp/w2djPKG0I0/cpqarrayd-2.2/cpqarrayd.c
--- /tmp/ef1DJ7JSQ9/cpqarrayd-2.2/cpqarrayd.c 2008-05-22 21:27:47.000000000
+0200
+++ /tmp/w2djPKG0I0/cpqarrayd-2.2/cpqarrayd.c 2008-05-22 21:27:47.000000000
+0200
@@ -198,10 +198,16 @@
/* It is unspecified whether a truncated hostname will be NUL-terminated.
*/
buffer[HOST_NAME_MAX] = '\0';
myhost = gethostbyname(buffer);
- myip = ((unsigned char) myhost->h_addr_list[0][3] << 24) +
- ((unsigned char) myhost->h_addr_list[0][2] << 16) +
- ((unsigned char) myhost->h_addr_list[0][1] << 8) +
- ((unsigned char) myhost->h_addr_list[0][0]);
+ if (myhost) {
+ myip = ((unsigned char) myhost->h_addr_list[0][3] << 24) +
+ ((unsigned char) myhost->h_addr_list[0][2] << 16) +
+ ((unsigned char) myhost->h_addr_list[0][1] << 8) +
+ ((unsigned char) myhost->h_addr_list[0][0]);
+ } else {
+ perror("gethostbyname");
+ strncpy(buffer, "(none)", HOST_NAME_MAX);
+ buffer[HOST_NAME_MAX] = '\0';
+ }
}
else {
perror("gethostname");
Happy hacking,
--
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]