On 02/12/2018 11:44 PM, Puran Chand wrote: > The code works fine and generates token most of the time but once in a > while it crashes and the crash happens in library.
I have looked at the stack traces and have a vague idea of the problem area, but I don't see a bug in the code, nor do I see any potentially related changes to sendto_kdc.c between 1.16 and the last KfW release. I will describe what's going on in case it helps you debug this further. sendto_kdc.c:1113 (in krb5 1.16) is "if ((size_t)nwritten < SG_LEN(sgp))", where SG_LEN(sgp) is sgp->len. Since the code is crashing here, sgp is presumably a null or invalid pointer. sgp is set from conn->out.sgp. conn->out.sgp should have been initialized to state->out.sgbuf in add_connection(). sgbuf is an array of scatter-gather vectors of up to two elements. (We use this array to avoid having to recopy the packet for TCP requests, while still sending the length and the packet in one write operation.) I can think of three general possibilities: * conn->out.sgp for some reason never got set, so is a null pointer at the time of the crash. But I don't know why it wouldn't have been set. * conn->out.sgp is incremented during each iteration of the loop (at line 1119) until we run out of written bytes to account for. If nwritten is for some reason much larger than it should be, conn->out.sgp could run off the end of conn->out.sgbuf by enough to produce a segmentation fault. But I don't know why nwritten would ever be larger than the lengths of the two scatter-gather vectors. * conn->out.sgp could have been corrupted by a memory error elsewhere. Since sendto_kdc() is synchronous, I would think the corruption would have to have occurred in another thread. _______________________________________________ kfwdev mailing list firstname.lastname@example.org http://mailman.mit.edu/mailman/listinfo/kfwdev