[ns] [bug] tcl-debugger segfaults when printing stack ('w')

Tue, 05 Sep 2006 12:20:24 -0700 

[Bug Report]

-----------------------------
Category:  Run Time - Segmentation Fault
Package:   other tcl-debug-2.0
OS:        RHEL4/OTHERS
Environment Variables:


-----------------------------
Description:

Description of Problem:

The tcl debugger tcl-debug 2.0 from Don Libes contains a bug in the function 
print_objc (Dbg.c:445) where not enough memory is allocated. The variable 
argv[] should hold an array of char * pointers. The call to malloc misses 
parentheses around objc + 1 and allocates insufficient memory.
A recent GLIBC as well as valgrind detect the error and aborts program 
execution. As a consequence the simulator execution is aborted by the system 
environment.

How Easily Reproducible: every time

Steps to Reproduce:
1. Start ns2
2. Enter 'debug 1'
3. Hit s until the stack has at least two elements. starting ns and using 's' 
three or more time is sufficient.
3. Simply execute some commands where you should use 'w' multiple times. 
valgrind will immediately detect it. glibc runtime checks sometimes. 

Requirements:
Ns compiled with --with-debug and tcl-debug. In addition the following system 
components/libraries are of interest:

Linux: CentOS release 4.4
GLIBC: glibc-2.3.4-2.25
valgrind: valgrind-3.1.1-1.EL4

Actual Results:

GLIBC:
dbg2.7> w
 0: application
*1: history {add} {s
}
 2: llength {add {s
}}
dbg2.8> w
*** glibc detected *** malloc(): memory corruption (fast): 0x08629bf8 ***
Aborted

VALGRIND:

dbg2.6> s
2: set len [llength $args]
dbg2.7> w
 0: application
==12203== Invalid write of size 4
==12203==    at 0x8242DFB: print_objv (Dbg.c:445)
==12203==    by 0x8242EB5: PrintStackBelow (Dbg.c:469)
==12203==    by 0x8242EED: PrintStack (Dbg.c:488)
==12203==    by 0x82432E5: debugger_trap (Dbg.c:696)

Expected Results:
No output

Additional Information:
Patch is supplied below:
--- Dbg.c.orig  2000-08-16 00:09:30.000000000 +0200
+++ Dbg.c       2006-09-05 17:05:43.000000000 +0200
@@ -440,7 +440,7 @@
     char **argv;
     int argc;
     int len;
-    argv = (char **)ckalloc(objc+1 * sizeof(char *));
+    argv = (char **)ckalloc((objc + 1) * sizeof(char *));
     for (argc=0 ; argc<objc ; argc++) {
        argv[argc] = Tcl_GetStringFromObj(objv[argc],&len);
     }

Kind regards,
  Christian Walter

Reply via email to