View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003702 | GNUnet | UDP transport | public | 2015-03-06 21:10 | 2018-06-07 00:25 |
| Reporter | amatus | Assigned To | Christian Grothoff | ||
| Priority | normal | Severity | crash | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | Git master | ||||
| Target Version | 0.11.0pre66 | Fixed in Version | 0.11.0pre66 | ||
| Summary | 0003702: plugin_transport_udp.c double free or corruption | ||||
| Description | My peer running rev 35341 hit a double free in udp_select_send(). Looks like we got a bad UDP_MessageWrapper pointer, tried to send it which failed, tried to dequeue it which generated assertion failures, then tried to free it and triggered the abort. | ||||
| Additional Information | transport logs: Mar 06 08:29:15-548962 transport-3761 ERROR Assertion failed at plugin_transport_udp.c:1409. Mar 06 08:29:15-549045 transport-3761 ERROR Assertion failed at plugin_transport_udp.c:1437. *** Error in `/opt/gnunet/lib//gnunet/libexec/gnunet-service-transport': double free or corruption (!prev): 0x0000000001417d90 *** Program terminated with signal SIGABRT, Aborted. #0 0x00007fc269caf107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007fc269caf107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007fc269cb04e8 in __GI_abort () at abort.c:89 #2 0x00007fc269ced044 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7fc269ddfc60 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007fc269cf281e in malloc_printerr (action=1, str=0x7fc269ddfd68 "double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:4996 #4 0x00007fc269cf3526 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840 #5 0x00007fc26a33afba in GNUNET_xfree_ (ptr=0x1417d90, filename=0x7fc26494ca00 "plugin_transport_udp.c", linenumber=3233) at common_allocation.c:239 #6 0x00007fc264949852 in udp_select_send (plugin=0x136c070, sock=0x13208c0) at plugin_transport_udp.c:3233 #7 0x00007fc26494991c in udp_plugin_select_v4 (cls=0x136c070, tc=0x7ffc8d2918b0) at plugin_transport_udp.c:3264 #8 0x00007fc26a3725fb in run_ready (rs=0x130ca00, ws=0x12f7960) at scheduler.c:587 #9 0x00007fc26a372e8f in GNUNET_SCHEDULER_run (task=0x7fc26a37e406 <service_task>, task_cls=0x7ffc8d291c40) at scheduler.c:867 #10 0x00007fc26a38002e in GNUNET_SERVICE_run (argc=7, argv=0x7ffc8d291ec8, service_name=0x41e9ac "transport", options=GNUNET_SERVICE_OPTION_NONE, task=0x4055a2 <run>, task_cls=0x0) at service.c:1503 #11 0x0000000000405b69 in main (argc=7, argv=0x7ffc8d291ec8) at gnunet-service-transport.c:929 (gdb) f 6 #6 0x00007fc264949852 in udp_select_send (plugin=0x136c070, sock=0x13208c0) at plugin_transport_udp.c:3233 3233 GNUNET_free (udpw); (gdb) p sent $1 = -1 | ||||
| Tags | No tags attached. | ||||
|
|
I have a second backtrace that looks like the same bug, only this time it didn't make it past dequeue(). Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f985c73c1c7 in dequeue (plugin=0x118a070, udpw=0x24d69f0) at plugin_transport_udp.c:1423 1423 if (sizeof(struct IPv4UdpAddress) == udpw->session->address->address_length) (gdb) bt #0 0x00007f985c73c1c7 in dequeue (plugin=0x118a070, udpw=0x24d69f0) at plugin_transport_udp.c:1423 #1 0x00007f985c74081f in udp_select_send (plugin=0x118a070, sock=0x113e8c0) at plugin_transport_udp.c:3228 #2 0x00007f985c74091c in udp_plugin_select_v4 (cls=0x118a070, tc=0x7ffe2b7a9f40) at plugin_transport_udp.c:3264 #3 0x00007f98621695fb in run_ready (rs=0x112aa00, ws=0x1115960) at scheduler.c:587 #4 0x00007f9862169e8f in GNUNET_SCHEDULER_run (task=0x7f9862175406 <service_task>, task_cls=0x7ffe2b7aa2d0) at scheduler.c:867 #5 0x00007f986217702e in GNUNET_SERVICE_run (argc=7, argv=0x7ffe2b7aa558, service_name=0x41e9ac "transport", options=GNUNET_SERVICE_OPTION_NONE, task=0x4055a2 <run>, task_cls=0x0) at service.c:1503 #6 0x0000000000405b69 in main (argc=7, argv=0x7ffe2b7aa558) at gnunet-service-transport.c:929 (gdb) p *udpw $1 = {session = 0x12b5290, prev = 0x1aad340, next = 0x0, msg_buf = 0x0, qc = 0x7f985c73d1d1 <qc_fragment_sent>, qc_cls = 0x118a070, cont = 0x0, cont_cls = 0x0, frag_ctx = 0x1787cd0, timeout = {abs_value_us = 18446744073709551615}, msg_size = 1400, payload_size = 1400} (gdb) p *udpw->session $2 = {target = {public_key = { q_y = "`\000\000\000\000\000\000\000\361\a\000\000\000\000\000\000XK\341a\230\177\000\000\340iM\002\000\000\000"}}, plugin = 0x0, frag_ctx = 0x0, flow_delay_for_other_peer = {rel_value_us = 19616472}, flow_delay_from_other_peer = {abs_value_us = 1495}, timeout_task = 0xffffffffffffffff, timeout = { abs_value_us = 2867112532286428933}, last_expected_ack_delay = { rel_value_us = 17187907080579835093}, last_expected_msg_delay = { rel_value_us = 3154413032730196804}, address = 0xed794e69198c98b1, bytes_in_queue = 9214526725816175843, msgs_in_queue = 2134947096, rc = 2788204681, scope = 2958604309, in_destroy = 1017794058} (gdb) p *udpw->session->address Cannot access memory at address 0xed794e69198c98b1 |
|
|
SVN 35342 may fix, assuming the issue is that one of the 'cont'inuations adds an entry to the message queue during the session's destruction. Also added a check that the session is not in destroy during enqueue. Please report if the issue persists. |
|
|
Transport (with and without valgrind) seems to run very stable with UDP enabled now. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2015-03-06 21:10 | amatus | New Issue | |
| 2015-03-06 21:10 | amatus | Status | new => assigned |
| 2015-03-06 21:10 | amatus | Assigned To | => Matthias Wachs |
| 2015-03-06 21:20 | amatus | Note Added: 0008982 | |
| 2015-03-07 11:34 | Christian Grothoff | Note Added: 0008983 | |
| 2015-03-07 11:34 | Christian Grothoff | Assigned To | Matthias Wachs => Christian Grothoff |
| 2015-03-07 11:34 | Christian Grothoff | Status | assigned => feedback |
| 2015-03-07 11:34 | Christian Grothoff | Target Version | => 0.11.0pre66 |
| 2015-03-08 12:55 | Christian Grothoff | Note Added: 0008999 | |
| 2015-03-08 12:55 | Christian Grothoff | Status | feedback => resolved |
| 2015-03-08 12:55 | Christian Grothoff | Fixed in Version | => 0.11.0pre66 |
| 2015-03-08 12:55 | Christian Grothoff | Resolution | open => fixed |
| 2018-06-07 00:25 | Christian Grothoff | Status | resolved => closed |
