seems like something weird is going on in helper.c... see the gdb output...
since transfer->file->filename can never be zero (as long as transfer->file
plus 20 bytes or so is not zero),it seems like someone is writing zeroes to the
stack after the correct transfer->file->filename has been wrilten and b4
strlen() is called(or do they use a register at -O2? nope: pushl 0x40(%esp) //
call 3700 <strlen@plt>)...
maybe someone who knows more about transfer->file can see, what is wrong here...
-Arne
gdb output:dnsmasq-dhcp: 3182551826 sent size: 4 option: 28 broadcast
192.168.1.255dnsmasq-dhcp: 3182551826 sent size: 12 option:209
70:78:65:2f:67:72:75:62:2e:63:66:67dnsmasq-dhcp: 3182551826 sent size: 4
option: 3 router 192.168.1.1dnsmasq-tftp: error 8 User aborted the transfer
received from 192.168.1.2dnsmasq-tftp: failed sending
/var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi to 192.168.1.2dnsmasq-tftp: sent
/var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi to 192.168.1.2
Program received signal SIGSEGV, Segmentation fault.0xb7ef0bc6 in __strlen_sse2
() from /usr/lib/libc.so.6(gdb) where#0 0xb7ef0bc6 in __strlen_sse2 () from
/usr/lib/libc.so.6#1 0x8002b8b7 in queue_tftp (file_len=203776, filename=0x0,
peer=0x8005bf68) at helper.c:819#2 0x8002d3b3 in do_tftp_script_run () at
tftp.c:811#3 0x80006875 in main (argc=<optimized out>, argv=<optimized out>)
at dnsmasq.c:955(gdb) frame 1#1 0x8002b8b7 in queue_tftp (file_len=203776,
filename=0x0, peer=0x8005bf68) at helper.c:819819 filename_len =
strlen(filename) + 1;(gdb) list814 815 /* no script */816 if
(daemon->helperfd == -1)817 return;818 819 filename_len =
strlen(filename) + 1;820 buff_alloc(sizeof(struct script_data) +
filename_len);821 memset(buf, 0, sizeof(struct script_data));822 823
buf->action = ACTION_TFTP;(gdb) print filename$1 = 0x0(gdb) frame 2#2
0x8002d3b3 in do_tftp_script_run () at tftp.c:811811
queue_tftp(transfer->file->size, transfer->file->filename,
&transfer->peer);(gdb) list806 807 if ((transfer =
daemon->tftp_done_trans))808 {809 daemon->tftp_done_trans =
transfer->next;810 #ifdef HAVE_SCRIPT811 queue_tftp(transfer->file->size,
transfer->file->filename, &transfer->peer);812 #endif813
free_transfer(transfer);814 return 1;815 }(gdb) print
*transfer->file$2 = {refcount = 1, fd = 15, size = 203776, dev = 20, inode =
5570, filename = 0x8005bf68 "/var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi"}
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
