View Issue Details

IDProjectCategoryView StatusLast Update
0003152GNUnettransport servicepublic2024-05-03 13:58
ReporterMatthias Wachs Assigned ToChristian Grothoff  
PriorityurgentSeveritycrashReproducibilityhave not tried
Status closedResolutionfixed 
Product VersionGit master 
Target Version0.10.0Fixed in Version0.10.0 
Summary0003152: Dynamic growing consensus set causes segfault
Description==8516== Invalid read of size 8
==8516== at 0x5450D24: disconnect_and_free_peer_entry (core_api.c:400)
==8516== by 0x568359B: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==8516== by 0x54561AB: GNUNET_CORE_disconnect (core_api.c:1217)
==8516== by 0x406138: shutdown_task (gnunet-service-dv.c:1883)
==8516== by 0x56A6CC0: run_ready (scheduler.c:593)
==8516== by 0x56A7547: GNUNET_SCHEDULER_run (scheduler.c:808)
==8516== by 0x56B55CA: GNUNET_SERVICE_run (service.c:1478)
==8516== by 0x406588: main (gnunet-service-dv.c:2035)
==8516== Address 0x6ef4770 is 112 bytes inside a block of size 184 free'd
==8516== at 0x4C2BA6C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8516== by 0x566FE1E: GNUNET_xfree_ (common_allocation.c:236)
==8516== by 0x56701CB: GNUNET_xgrow_ (common_allocation.c:336)
==8516== by 0x402AE4: get_consensus_slot (gnunet-service-dv.c:705)
==8516== by 0x402B02: allocate_route (gnunet-service-dv.c:725)
==8516== by 0x403A3A: check_possible_route (gnunet-service-dv.c:1027)
==8516== by 0x568359B: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==8516== by 0x403B92: refresh_routes (gnunet-service-dv.c:1059)
==8516== by 0x568359B: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==8516== by 0x405EC4: handle_core_disconnect (gnunet-service-dv.c:1822)
==8516== by 0x5450C46: disconnect_and_free_peer_entry (core_api.c:389)
==8516== by 0x568359B: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==8516==
TagsNo tags attached.

Relationships

has duplicate 0003155 closedChristian Grothoff Crash in shutdown 
child of 0001795 closedschanzen DV is not implemented 

Activities

Christian Grothoff

2013-12-04 10:44

manager   ~0007756

I've made the recursion on "refresh_routes()" asynchronous (new task), so that at least we're no longer adding new routes while handling core disconnect (that just sounds like a bad idea). It may help, but I've not seen exactly how this would trigger the bug, so more likely the issue itself is not solved by this (SVN 31031).

Christian Grothoff

2013-12-07 23:18

manager   ~0007774

Still there, reproduced using testbed profiler with 10 peers (and allowed 100 connect errors) using DV test configuration file:

==23943== Invalid read of size 8
==23943== at 0x5455100: main_notify_handler (core_api.c:988)
==23943== by 0x566D619: receive_task (client.c:589)
==23943== by 0x56ABF10: run_ready (scheduler.c:593)
==23943== by 0x56AC862: GNUNET_SCHEDULER_run (scheduler.c:808)
==23943== by 0x56BB65F: GNUNET_SERVICE_run (service.c:1478)
==23943== by 0x10F209: main (gnunet-service-dv.c:2087)
==23943== Address 0x6ed5cd0 is 112 bytes inside a block of size 184 free'd
==23943== at 0x4C2A74C: free (vg_replace_malloc.c:468)
==23943== by 0x5670558: GNUNET_xfree_ (common_allocation.c:236)
==23943== by 0x567096E: GNUNET_xgrow_ (common_allocation.c:336)
==23943== by 0x10AF0F: get_consensus_slot (gnunet-service-dv.c:714)
==23943== by 0x10AF50: allocate_route (gnunet-service-dv.c:734)
==23943== by 0x10C0EA: check_possible_route (gnunet-service-dv.c:1040)
==23943== by 0x5685705: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==23943== by 0x10C271: refresh_routes (gnunet-service-dv.c:1072)
==23943== by 0x5685705: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==23943== by 0x10C2D1: refresh_routes_task (gnunet-service-dv.c:1090)
==23943== by 0x56ABF10: run_ready (scheduler.c:593)
==23943== by 0x56AC862: GNUNET_SCHEDULER_run (scheduler.c:808)

Christian Grothoff

2013-12-07 23:27

manager   ~0007775

Looks like neither get_consensus_slot, nor allocate_route, nor check_possible_route checked that the distance didn't yet grow beyond our 3-hop bound and thus overflowed the 'consensi' array. Added assertions, and added logic to not include routes with too many hops to check_possible_route in SVN 31167.

Issue History

Date Modified Username Field Change
2013-12-03 13:52 Matthias Wachs New Issue
2013-12-04 10:44 Christian Grothoff Note Added: 0007756
2013-12-04 10:45 Christian Grothoff Priority normal => high
2013-12-04 10:45 Christian Grothoff Target Version => 0.10.0
2013-12-07 22:20 Christian Grothoff Relationship added child of 0001795
2013-12-07 23:18 Christian Grothoff Note Added: 0007774
2013-12-07 23:18 Christian Grothoff Priority high => urgent
2013-12-07 23:18 Christian Grothoff Severity minor => crash
2013-12-07 23:18 Christian Grothoff Status new => confirmed
2013-12-07 23:18 Christian Grothoff Product Version => Git master
2013-12-07 23:27 Christian Grothoff Note Added: 0007775
2013-12-07 23:27 Christian Grothoff Assigned To => Christian Grothoff
2013-12-07 23:27 Christian Grothoff Status confirmed => assigned
2013-12-07 23:27 Christian Grothoff Status assigned => resolved
2013-12-07 23:27 Christian Grothoff Fixed in Version => 0.10.0
2013-12-07 23:27 Christian Grothoff Resolution open => fixed
2013-12-08 22:20 Christian Grothoff Relationship added has duplicate 0003155
2013-12-24 20:54 Christian Grothoff Status resolved => closed
2024-05-03 13:58 Christian Grothoff Category DV service or transport => transport service