View Issue Details

IDProjectCategoryView StatusLast Update
0003702GNUnetUDP transportpublic2018-06-07 00:25
ReporteramatusAssigned ToChristian Grothoff 
PrioritynormalSeveritycrashReproducibilityhave not tried
Status closedResolutionfixed 
Product VersionSVN HEAD 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0003702: plugin_transport_udp.c double free or corruption
DescriptionMy peer running rev 35341 hit a double free in udp_select_send().
Looks like we got a bad UDP_MessageWrapper pointer, tried to send it which failed, tried to dequeue it which generated assertion failures, then tried to free it and triggered the abort.
Additional Informationtransport logs:
Mar 06 08:29:15-548962 transport-3761 ERROR Assertion failed at plugin_transport_udp.c:1409.
Mar 06 08:29:15-549045 transport-3761 ERROR Assertion failed at plugin_transport_udp.c:1437.
*** Error in `/opt/gnunet/lib//gnunet/libexec/gnunet-service-transport': double free or corruption (!prev): 0x0000000001417d90 ***

Program terminated with signal SIGABRT, Aborted.
#0 0x00007fc269caf107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007fc269caf107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007fc269cb04e8 in __GI_abort () at abort.c:89
#2 0x00007fc269ced044 in __libc_message (do_abort=do_abort@entry=1,
    fmt=fmt@entry=0x7fc269ddfc60 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007fc269cf281e in malloc_printerr (action=1,
    str=0x7fc269ddfd68 "double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:4996
#4 0x00007fc269cf3526 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
#5 0x00007fc26a33afba in GNUNET_xfree_ (ptr=0x1417d90,
    filename=0x7fc26494ca00 "plugin_transport_udp.c", linenumber=3233) at common_allocation.c:239
#6 0x00007fc264949852 in udp_select_send (plugin=0x136c070, sock=0x13208c0)
    at plugin_transport_udp.c:3233
#7 0x00007fc26494991c in udp_plugin_select_v4 (cls=0x136c070, tc=0x7ffc8d2918b0)
    at plugin_transport_udp.c:3264
#8 0x00007fc26a3725fb in run_ready (rs=0x130ca00, ws=0x12f7960) at scheduler.c:587
#9 0x00007fc26a372e8f in GNUNET_SCHEDULER_run (task=0x7fc26a37e406 <service_task>,
    task_cls=0x7ffc8d291c40) at scheduler.c:867
#10 0x00007fc26a38002e in GNUNET_SERVICE_run (argc=7, argv=0x7ffc8d291ec8,
    service_name=0x41e9ac "transport", options=GNUNET_SERVICE_OPTION_NONE, task=0x4055a2 <run>,
    task_cls=0x0) at service.c:1503
#11 0x0000000000405b69 in main (argc=7, argv=0x7ffc8d291ec8) at gnunet-service-transport.c:929
(gdb) f 6
#6 0x00007fc264949852 in udp_select_send (plugin=0x136c070, sock=0x13208c0)
    at plugin_transport_udp.c:3233
3233 GNUNET_free (udpw);
(gdb) p sent
$1 = -1
TagsNo tags attached.

Activities

amatus

2015-03-06 21:20

developer   ~0008982

I have a second backtrace that looks like the same bug, only this time it didn't make it past dequeue().

Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f985c73c1c7 in dequeue (plugin=0x118a070, udpw=0x24d69f0) at plugin_transport_udp.c:1423
1423 if (sizeof(struct IPv4UdpAddress) == udpw->session->address->address_length)
(gdb) bt
#0 0x00007f985c73c1c7 in dequeue (plugin=0x118a070, udpw=0x24d69f0) at plugin_transport_udp.c:1423
#1 0x00007f985c74081f in udp_select_send (plugin=0x118a070, sock=0x113e8c0)
    at plugin_transport_udp.c:3228
#2 0x00007f985c74091c in udp_plugin_select_v4 (cls=0x118a070, tc=0x7ffe2b7a9f40)
    at plugin_transport_udp.c:3264
#3 0x00007f98621695fb in run_ready (rs=0x112aa00, ws=0x1115960) at scheduler.c:587
#4 0x00007f9862169e8f in GNUNET_SCHEDULER_run (task=0x7f9862175406 <service_task>,
    task_cls=0x7ffe2b7aa2d0) at scheduler.c:867
#5 0x00007f986217702e in GNUNET_SERVICE_run (argc=7, argv=0x7ffe2b7aa558,
    service_name=0x41e9ac "transport", options=GNUNET_SERVICE_OPTION_NONE, task=0x4055a2 <run>,
    task_cls=0x0) at service.c:1503
#6 0x0000000000405b69 in main (argc=7, argv=0x7ffe2b7aa558) at gnunet-service-transport.c:929
(gdb) p *udpw
$1 = {session = 0x12b5290, prev = 0x1aad340, next = 0x0, msg_buf = 0x0,
  qc = 0x7f985c73d1d1 <qc_fragment_sent>, qc_cls = 0x118a070, cont = 0x0, cont_cls = 0x0,
  frag_ctx = 0x1787cd0, timeout = {abs_value_us = 18446744073709551615}, msg_size = 1400,
  payload_size = 1400}
(gdb) p *udpw->session
$2 = {target = {public_key = {
      q_y = "`\000\000\000\000\000\000\000\361\a\000\000\000\000\000\000XK\341a\230\177\000\000\340iM\002\000\000\000"}}, plugin = 0x0, frag_ctx = 0x0, flow_delay_for_other_peer = {rel_value_us = 19616472},
  flow_delay_from_other_peer = {abs_value_us = 1495}, timeout_task = 0xffffffffffffffff, timeout = {
    abs_value_us = 2867112532286428933}, last_expected_ack_delay = {
    rel_value_us = 17187907080579835093}, last_expected_msg_delay = {
    rel_value_us = 3154413032730196804}, address = 0xed794e69198c98b1,
  bytes_in_queue = 9214526725816175843, msgs_in_queue = 2134947096, rc = 2788204681, scope = 2958604309,
  in_destroy = 1017794058}
(gdb) p *udpw->session->address
Cannot access memory at address 0xed794e69198c98b1

Christian Grothoff

2015-03-07 11:34

manager   ~0008983

SVN 35342 may fix, assuming the issue is that one of the 'cont'inuations adds an entry to the message queue during the session's destruction. Also added a check that the session is not in destroy during enqueue. Please report if the issue persists.

Christian Grothoff

2015-03-08 12:55

manager   ~0008999

Transport (with and without valgrind) seems to run very stable with UDP enabled now.

Issue History

Date Modified Username Field Change
2015-03-06 21:10 amatus New Issue
2015-03-06 21:10 amatus Status new => assigned
2015-03-06 21:10 amatus Assigned To => Matthias Wachs
2015-03-06 21:20 amatus Note Added: 0008982
2015-03-07 11:34 Christian Grothoff Note Added: 0008983
2015-03-07 11:34 Christian Grothoff Assigned To Matthias Wachs => Christian Grothoff
2015-03-07 11:34 Christian Grothoff Status assigned => feedback
2015-03-07 11:34 Christian Grothoff Target Version => 0.11.0pre66
2015-03-08 12:55 Christian Grothoff Note Added: 0008999
2015-03-08 12:55 Christian Grothoff Status feedback => resolved
2015-03-08 12:55 Christian Grothoff Fixed in Version => 0.11.0pre66
2015-03-08 12:55 Christian Grothoff Resolution open => fixed
2018-06-07 00:25 Christian Grothoff Status resolved => closed