View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003627GNUnetutil librarypublic2015-01-28 17:092018-06-07 00:25
ReporterBart Polot Assigned Toch3  
PrioritynormalSeveritycrashReproducibilityrandom
Status closedResolutionunable to reproduce 
Product VersionGit master 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0003627: RPS service causes mq to use memory after free
DescriptionRPS crashes with a SIGSEGV in mq code. MQ seems to have corrupted data structures.
Steps To Reproducerun rps/test_rps_multipeer
Additional InformationProgram terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f37676b4fa4 in transmit_queued (cls=0x1d2b4c0, size=56, buf=0x1d20c80) at mq.c:499
499 msg_size = ntohs (msg->size);
(gdb) bt
#0 0x00007f37676b4fa4 in transmit_queued (cls=0x1d2b4c0, size=56, buf=0x1d20c80) at mq.c:499
#1 0x00007f37676cb0f2 in transmit_ready_callback_wrapper (cls=0x1d18090, size=56, buf=0x1d20c80) at server.c:1586
#2 0x00007f3767694b08 in process_notify (connection=0x1d2b3f0) at connection.c:1205
#3 0x00007f3767695602 in transmit_ready (cls=0x1d2b3f0, tc=0x7fffccc343a0) at connection.c:1336
#4 0x00007f37676c453e in run_ready (rs=0x1d19560, ws=0x1d195f0) at scheduler.c:587
#5 0x00007f37676c4dc2 in GNUNET_SCHEDULER_run (task=0x7f37676d1775 <service_task>, task_cls=0x7fffccc34720)
    at scheduler.c:816
#6 0x00007f37676d34ae in GNUNET_SERVICE_run (argc=3, argv=0x7fffccc349a8, service_name=0x4082df "rps",
    options=GNUNET_SERVICE_OPTION_NONE, task=0x407196 <run>, task_cls=0x0) at service.c:1503
#7 0x00000000004076e6 in main (argc=3, argv=0x7fffccc349a8) at gnunet-service-rps.c:1682
(gdb) p *msg
Cannot access memory at address 0xdf0adba0df0adba
(gdb) p *mq
$1 = {handlers = 0x0, handlers_cls = 0x0, send_impl = 0x7f37676b523a <server_client_send_impl>,
  destroy_impl = 0x7f37676b5090 <server_client_destroy_impl>, cancel_impl = 0x0, impl_state = 0x1d1eb70,
  error_handler = 0x0, envelope_head = 0x0, envelope_tail = 0x0, current_envelope = 0x1d1b9a0, assoc_map = 0x0,
  continue_task = 0x0, assoc_id = 0}
(gdb) p *mq->current_envelope
$2 = {next = 0x0, prev = 0xdf0adba0df0adba, mh = 0xdf0adba0df0adba, parent_queue = 0xdf0adba0df0adba,
  sent_cb = 0xdf0adba0df0adba, sent_cls = 0xdf0adba0df0adba}
(gdb)
TagsNo tags attached.

Activities

Florian Dold

2015-03-07 23:46

developer   ~0008993

Not sure what happens here, it might be useful to run under valgrind to see where the memory corruption occurs.

I see places in the RPS code where we do

    if (NULL != peer_ctx->mq)
      GNUNET_MQ_destroy (peer_ctx->mq);

which might cause undetected corruption later since the mq handle is not set to NULL.

That's just a guess though, running under valgrind will shed further light on this. Again I'll wait for Julius' next commit before investigating.

Christian Grothoff

2015-03-20 21:13

manager   ~0009026

Reported to be gone with changes to RPS code.

Issue History

Date Modified Username Field Change
2015-01-28 17:09 Bart Polot New Issue
2015-01-28 17:09 Bart Polot Status new => assigned
2015-01-28 17:09 Bart Polot Assigned To => Florian Dold
2015-02-28 18:37 Christian Grothoff Target Version 0.11.0pre66 => 0.11.0
2015-03-07 23:33 Florian Dold Status assigned => feedback
2015-03-07 23:39 Florian Dold Status feedback => assigned
2015-03-07 23:46 Florian Dold Note Added: 0008993
2015-03-07 23:46 Florian Dold Status assigned => feedback
2015-03-20 21:13 Christian Grothoff Note Added: 0009026
2015-03-20 21:13 Christian Grothoff Status feedback => resolved
2015-03-20 21:13 Christian Grothoff Fixed in Version => 0.11.0pre66
2015-03-20 21:13 Christian Grothoff Resolution open => unable to reproduce
2015-03-20 21:13 Christian Grothoff Assigned To Florian Dold => ch3
2015-03-20 22:07 Christian Grothoff Target Version 0.11.0 => 0.11.0pre66
2018-06-07 00:25 Christian Grothoff Status resolved => closed