Re: lpd printing problem

Fri, 14 Oct 2011 01:30:42 -0700 

On Wed, Oct 12, 2011 at 05:39:48PM +0200, Pascal Stumpf wrote:

> On Wed, 12 Oct 2011 17:25:06 +0200, Otto Moerbeek wrote:
> > On Wed, Oct 12, 2011 at 04:03:57PM +0200, Pascal Stumpf wrote:
> > 
> > > I have two printers on the local network (laser and lexmark) and I want
> > > to use lpd(8) to print on them. It seems to me that lpd is having some
> > > sort of local problem (it does not even create lock and status files in
> > > the spool directories, and both lpr and lpq do not see the daemon). But
> > > some info first:
> > > 
> > > lpd is started with -s, manually or with rc.d makes no difference (nor
> > > removing -s).
> > 
> > Check your /var/log/lpd.errs.
> 
> Doesn't contain anything but "restarted" messages.
> 
> > Also, ktracing lpd with the the -i flag might give a clue to what the
> > lpd child is doing.
> 
> Apparently, it segfaults:

The problem appears in cgetnext();

I can see two (probably related) problems there:

1. if (toprec && !gottoprec) the goto lookup is done, leading to a
strcspn with record still being NULL.

2. After the toprec = record; statement is executed at the bottom op
the loop, a free(record) is done. That makes toprec point into the
wild. If a file is closed and reopened, toprec will be non-NULL (but
wild) and gottoprec will be 0 (due to cgetclose().

Cc:ing this to millert@ so he can have a look. I'm not completely
following the toprec logic, I must say.

Easiest way for me to trigger was:
Use malloc option S, have at least one entry in printcap, and run lpc.
On the lpc command line type status twice.

        -Otto

> 
>  10436 lpd      EMUL  "native"
>  10436 lpd      RET   select 1
>  10436 lpd      CALL  sigprocmask(SIG_BLOCK,0xffffffff)
>  10436 lpd      RET   sigprocmask 0
>  10436 lpd      CALL  mprotect(0x710000,0x2000,0x3<PROT_READ|PROT_WRITE>)
>  10436 lpd      RET   mprotect 0
>  10436 lpd      CALL  mprotect(0x710000,0x2000,0x1<PROT_READ>)
>  10436 lpd      RET   mprotect 0
>  10436 lpd      CALL  sigprocmask(SIG_SETMASK,0)
>  10436 lpd      RET   sigprocmask 4294901503/0xfffefeff
>  10436 lpd      CALL  accept(0x5,0x7f7ffffe05c0,0x7f7ffffe02a8)
>  10436 lpd      STRU  struct sockaddr { AF_LOCAL, "" }
>  10436 lpd      RET   accept 8
>  10436 lpd      CALL  fork()
>  10436 lpd      RET   fork 25687/0x6457
>  25687 lpd      RET   fork 0
>  10436 lpd      CALL  sigprocmask(SIG_BLOCK,0xffffffff)
>  10436 lpd      RET   sigprocmask 0
>  10436 lpd      CALL  mprotect(0x710000,0x2000,0x3<PROT_READ|PROT_WRITE>)
>  10436 lpd      RET   mprotect 0
>  10436 lpd      CALL  mprotect(0x710000,0x2000,0x1<PROT_READ>)
>  10436 lpd      RET   mprotect 0
>  25687 lpd      CALL  sigaction(SIGCHLD,0x7f7ffffe00e0,0x7f7ffffe00d0)
>  10436 lpd      CALL  sigprocmask(SIG_SETMASK,0)
>  10436 lpd      RET   sigprocmask 4294901503/0xfffefeff
>  25687 lpd      RET   sigaction 0
>  10436 lpd      CALL  close(0x8)
>  10436 lpd      RET   close 0
>  25687 lpd      CALL  sigaction(SIGHUP,0x7f7ffffe00e0,0x7f7ffffe00d0)
>  25687 lpd      RET   sigaction 0
>  10436 lpd      CALL  select(0x8,0x7f7ffffe0170,0,0,0)
>  25687 lpd      CALL  sigaction(SIGINT,0x7f7ffffe00e0,0x7f7ffffe00d0)
>  25687 lpd      RET   sigaction 0
>  25687 lpd      CALL  sigaction(SIGQUIT,0x7f7ffffe00e0,0x7f7ffffe00d0)
>  25687 lpd      RET   sigaction 0
>  25687 lpd      CALL  sigaction(SIGTERM,0x7f7ffffe00e0,0x7f7ffffe00d0)
>  25687 lpd      RET   sigaction 0
>  25687 lpd      CALL  sigprocmask(SIG_BLOCK,0xffffffff)
>  25687 lpd      RET   sigprocmask 0
>  25687 lpd      CALL  mprotect(0x710000,0x2000,0x3<PROT_READ|PROT_WRITE>)
>  25687 lpd      RET   mprotect 0
>  25687 lpd      CALL  mprotect(0x710000,0x2000,0x1<PROT_READ>)
>  25687 lpd      RET   mprotect 0
>  25687 lpd      CALL  sigprocmask(SIG_SETMASK,0)
>  25687 lpd      RET   sigprocmask 4294901503/0xfffefeff
>  25687 lpd      CALL  close(0x5)
>  25687 lpd      RET   close 0
>  25687 lpd      CALL  close(0x6)
>  25687 lpd      RET   close 0
>  25687 lpd      CALL  close(0x7)
>  25687 lpd      RET   close 0
>  25687 lpd      CALL  sigprocmask(SIG_BLOCK,0xffffffff)
>  25687 lpd      RET   sigprocmask 0
>  25687 lpd      CALL  mprotect(0x710000,0x2000,0x3<PROT_READ|PROT_WRITE>)
>  25687 lpd      RET   mprotect 0
>  25687 lpd      CALL  mprotect(0x710000,0x2000,0x1<PROT_READ>)
>  25687 lpd      RET   mprotect 0
>  25687 lpd      CALL  sigprocmask(SIG_SETMASK,0)
>  25687 lpd      RET   sigprocmask 4294901503/0xfffefeff
>  25687 lpd      CALL  dup2(0x8,0x1)
>  25687 lpd      RET   dup2 1
>  25687 lpd      CALL  close(0x8)
>  25687 lpd      RET   close 0
>  25687 lpd      CALL  sigprocmask(SIG_BLOCK,0xffffffff)
>  25687 lpd      RET   sigprocmask 0
>  25687 lpd      CALL  mprotect(0x710000,0x2000,0x3<PROT_READ|PROT_WRITE>)
>  25687 lpd      RET   mprotect 0
>  25687 lpd      CALL  mprotect(0x710000,0x2000,0x1<PROT_READ>)
>  25687 lpd      RET   mprotect 0
>  25687 lpd      CALL  sigprocmask(SIG_SETMASK,0)
>  25687 lpd      RET   sigprocmask 4294901503/0xfffefeff
>  25687 lpd      CALL  read(0x1,0x8121e0,0x1)
>  25687 lpd      GIO   fd 1 read 1 bytes
>        "\^A"
>  25687 lpd      RET   read 1
>  25687 lpd      CALL  read(0x1,0x8121e1,0x1)
>  25687 lpd      GIO   fd 1 read 1 bytes
>        "l"
>  25687 lpd      RET   read 1
>  25687 lpd      CALL  read(0x1,0x8121e2,0x1)
>  25687 lpd      GIO   fd 1 read 1 bytes
>        "e"
>  25687 lpd      RET   read 1
>  25687 lpd      CALL  read(0x1,0x8121e3,0x1)
>  25687 lpd      GIO   fd 1 read 1 bytes
>        "x"
>  25687 lpd      RET   read 1
>  25687 lpd      CALL  read(0x1,0x8121e4,0x1)
>  25687 lpd      GIO   fd 1 read 1 bytes
>        "m"
>  25687 lpd      RET   read 1
>  25687 lpd      CALL  read(0x1,0x8121e5,0x1)
>  25687 lpd      GIO   fd 1 read 1 bytes
>        "a"
>  25687 lpd      RET   read 1
>  25687 lpd      CALL  read(0x1,0x8121e6,0x1)
>  25687 lpd      GIO   fd 1 read 1 bytes
>        "r"
>  25687 lpd      RET   read 1
>  25687 lpd      CALL  read(0x1,0x8121e7,0x1)
>  25687 lpd      GIO   fd 1 read 1 bytes
>        "k"
>  25687 lpd      RET   read 1
>  25687 lpd      CALL  read(0x1,0x8121e8,0x1)
>  25687 lpd      GIO   fd 1 read 1 bytes
>        "
>        "
>  25687 lpd      RET   read 1
>  25687 lpd      CALL  seteuid(0)
>  25687 lpd      RET   seteuid 0
>  25687 lpd      CALL  setegid(0x1)
>  25687 lpd      RET   setegid 0
>  25687 lpd      CALL  sigprocmask(SIG_BLOCK,0xffffffff)
>  25687 lpd      RET   sigprocmask 0
>  25687 lpd      CALL  mprotect(0x710000,0x2000,0x3<PROT_READ|PROT_WRITE>)
>  25687 lpd      RET   mprotect 0
>  25687 lpd      CALL  mprotect(0x710000,0x2000,0x1<PROT_READ>)
>  25687 lpd      RET   mprotect 0
>  25687 lpd      CALL  sigprocmask(SIG_SETMASK,0)
>  25687 lpd      RET   sigprocmask 4294901503/0xfffefeff
>  25687 lpd      PSIG  SIGSEGV SIG_DFL code SEGV_MAPERR<1> addr=0x203677000 
> trapno=6
>  10436 lpd      PSIG  SIGCHLD caught handler=0x403560 mask=0x0
>  10436 lpd      RET   select -1 errno 4 Interrupted system call
>  10436 lpd      CALL  wait4(0xffffffff,0x7f7ffffdfd74,0x1<WNOHANG>,0)
>  10436 lpd      RET   wait4 25687/0x6457
>  10436 lpd      CALL  wait4(0xffffffff,0x7f7ffffdfd74,0x1<WNOHANG>,0)
>  10436 lpd      RET   wait4 -1 errno 10 No child processes
>  10436 lpd      CALL  sigreturn(0x7f7ffffdfd90)
>  10436 lpd      RET   sigreturn JUSTRETURN
>  10436 lpd      CALL  select(0x8,0x7f7ffffe0170,0,0,0)
> 
> 
> I remembered I had the "S" malloc flag set, so I removed
> /etc/malloc.conf, and ta-daaa, works. So this is a bug in the lpd code.
> I suspect it is somewhere in the "common" code for all lp programs, as
> I've also experienced SIGSEGVs in lpc. I'll see if I can hunt it down
> further if I have time ...
> 
> Thanks!
> 
> --------
> APL is a write-only language.  I can write programs in APL, but I
> can't read any of them.
>               -- Roy Keir

Reply via email to