Package: cpqarrayd
Version: 2.2-3
Severity: important
Tags: patch

When trying to install and start cpqarrayd, it failed with segfault.
This is a valgrind run using a non-stripped package:

nos06ts001:~# valgrind cpqarrayd
==12382== Memcheck, a memory error detector.
==12382== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al.
==12382== Using LibVEX rev 1658, a library for dynamic binary translation.
==12382== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP.
==12382== Using valgrind-3.2.1-Debian, a dynamic binary instrumentation 
framework.
==12382== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al.
==12382== For more details, rerun with: -v
==12382==
Checking for controllers..
==12382== Syscall param ioctl(generic) points to uninitialised byte(s)
==12382==    at 0x4000792: (within /lib/ld-2.3.6.so)
==12382==    by 0x80494BA: cciss_interrogate_controller (discover.c:301)
==12382==    by 0x8049DB2: discover_controllers (discover.c:113)
==12382==    by 0x8049042: main (cpqarrayd.c:179)
==12382==  Address 0xBE909808 is on thread 1's stack
==12382==
==12382== Syscall param ioctl(generic) points to uninitialised byte(s)
==12382==    at 0x4000792: (within /lib/ld-2.3.6.so)
==12382==    by 0x80495C3: cciss_interrogate_controller (discover.c:323)
==12382==    by 0x8049DB2: discover_controllers (discover.c:113)
==12382==    by 0x8049042: main (cpqarrayd.c:179)
==12382==  Address 0xBE909809 is on thread 1's stack
DEBUG: Discarding old event 5/0/0
==12382==
==12382== Syscall param ioctl(generic) points to uninitialised byte(s)
==12382==    at 0x4000792: (within /lib/ld-2.3.6.so)
==12382==    by 0x80495FD: cciss_interrogate_controller (discover.c:327)
==12382==    by 0x8049DB2: discover_controllers (discover.c:113)
==12382==    by 0x8049042: main (cpqarrayd.c:179)
==12382==  Address 0xBE909809 is on thread 1's stack
DEBUG: Discarding old event 5/0/0
DEBUG: Discarding old event 5/0/0
DEBUG: Discarding old event 5/2/0
Done
Monitoring list
 [ 0] Controller type 'CCISS Controller' at /dev/cciss/c0d0
==12382==
==12382== Invalid read of size 4
==12382==    at 0x80490D9: main (cpqarrayd.c:201)
==12382==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==12382==
==12382== Process terminating with default action of signal 11 (SIGSEGV)
==12382==  Access not within mapped region at address 0x10
==12382==    at 0x80490D9: main (cpqarrayd.c:201)
==12382==
==12382== ERROR SUMMARY: 7 errors from 4 contexts (suppressed: 19 from 1)
==12382== malloc/free: in use at exit: 98 bytes in 3 blocks.
==12382== malloc/free: 6 allocs, 3 frees, 1,490 bytes allocated.
==12382== For counts of detected errors, rerun with: -v
==12382== searching for pointers to 3 not-freed blocks.
==12382== checked 308,284 bytes.
==12382==
==12382== LEAK SUMMARY:
==12382==    definitely lost: 0 bytes in 0 blocks.
==12382==      possibly lost: 0 bytes in 0 blocks.
==12382==    still reachable: 98 bytes in 3 blocks.
==12382==         suppressed: 0 bytes in 0 blocks.
==12382== Reachable blocks (those to which a pointer was found) are not shown.
==12382== To see them, rerun with: --show-reachable=yes
Segmentation fault
nos06ts001:~#

Looking at the source, it is obvious that the problem is with the
return value from gethostbyname() not being checked.  This patch solve
the issue:

diff -Nru /tmp/ef1DJ7JSQ9/cpqarrayd-2.2/cpqarrayd.c 
/tmp/w2djPKG0I0/cpqarrayd-2.2/cpqarrayd.c
--- /tmp/ef1DJ7JSQ9/cpqarrayd-2.2/cpqarrayd.c   2008-05-22 21:27:47.000000000 
+0200
+++ /tmp/w2djPKG0I0/cpqarrayd-2.2/cpqarrayd.c   2008-05-22 21:27:47.000000000 
+0200
@@ -198,10 +198,16 @@
     /* It is unspecified whether a truncated hostname will be NUL-terminated. 
*/
     buffer[HOST_NAME_MAX] = '\0';
     myhost = gethostbyname(buffer);
-    myip = ((unsigned char) myhost->h_addr_list[0][3] << 24) +
-      ((unsigned char) myhost->h_addr_list[0][2] << 16) +
-      ((unsigned char) myhost->h_addr_list[0][1] << 8) +
-      ((unsigned char) myhost->h_addr_list[0][0]);
+    if (myhost) {
+      myip = ((unsigned char) myhost->h_addr_list[0][3] << 24) +
+        ((unsigned char) myhost->h_addr_list[0][2] << 16) +
+        ((unsigned char) myhost->h_addr_list[0][1] << 8) +
+        ((unsigned char) myhost->h_addr_list[0][0]);
+    } else {
+      perror("gethostbyname");
+      strncpy(buffer, "(none)", HOST_NAME_MAX);
+      buffer[HOST_NAME_MAX] = '\0';
+    }
   }
   else {
     perror("gethostname");

Happy hacking,
-- 
Petter Reinholdtsen



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to