[Dnsmasq-discuss] crash on double free

Tue Sep 14 20:48:55 BST 2010

Ferenc Wagner wrote:
> Ferenc Wagner <wferi at niif.hu> writes:
> 
>> Ferenc Wagner <wferi at niif.hu> writes:
>>
>>> *** glibc detected *** /usr/sbin/dnsmasq: double free or corruption (top): 0x08ab60b8 ***
>>> [...]
>>>
>>> I've got the core file, but no debugging info.  The binary is the Debian
>>> Squeeze one from dnsmasq-base_2.55-1_i386.deb, running on a Lenny
>>> system...  I decided to still report this, because I don't think mixing
>>> in this package from another distribution should matter.  Maybe I'm wrong.
>>> It's a pity dnsmasq-core-dbg does not exist.  Tomorrow I'll probably get
>>> a chance to rebuild the package with debugging info.
>> I rebuilt the 2.55-1 source package under Lenny with debug info, and
>> reproduced the crash.  The backtrace is somewhat broken (address
>> 0x2b07\n?!), but maybe still useful:
>>
>> $ gdb dnsmasq core
>> GNU gdb 6.8-debian
>> [...]
>> Core was generated by `/usr/sbin/dnsmasq -d -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq'.
>> Program terminated with signal 6, Aborted.
>> (gdb) bt
>> #0  0xb7719416 in __kernel_vsyscall ()
>> #1  0xb7578640 in raise () from /lib/i686/cmov/libc.so.6
>> #2  0xb757a018 in abort () from /lib/i686/cmov/libc.so.6
>> #3  0xb75b548d in __libc_message () from /lib/i686/cmov/libc.so.6
>> #4  0xb75bb764 in malloc_printerr () from /lib/i686/cmov/libc.so.6
>> #5  0xb75bd966 in free () from /lib/i686/cmov/libc.so.6
>> #6  0x08060346 in do_script_run (now=1284470981) at lease.c:602
>> #7  0x0805d047 in main (argc=Cannot access memory at address 0x2b07
>> ) at dnsmasq.c:617
>>
>> I'll try to link in efence, and hope for a better report.
> 
> It said:
> 
> ElectricFence Aborting: free(b7215f8c): address not from malloc().
> Illegal instruction (core dumped)
> 
> and the backtrace is:
> 
> #0  0xb7782416 in __kernel_vsyscall ()
> #1  0xb75dc956 in kill () from /lib/i686/cmov/libc.so.6
> #2  0xb770edd5 in EF_Abort () from /usr/lib/libefence.so.0
> #3  0xb770e159 in free () from /usr/lib/libefence.so.0
> #4  0x080623aa in add_extradata_data (lease=0xb71c7fac, 
>     data=0xb720fb68 "Linux ipconfigÿ\001þ\006\004\nú\001þ\017\talma.grid\f\02152-54-00-12-34-56\021\020/var/lib/nfsrootÿ", len=14, delim=0) at rfc2131.c:1525
> #5  0x0806242c in add_extradata_opt (lease=0xb71c7fac, opt=<value optimized out>) at rfc2131.c:1555
> #6  0x08067040 in dhcp_reply (context=0xb7549fc4, iface_name=0xbfdb6854 "br-alma-g", int_index=10, 
>     sz=283, now=1284475079, unicast_dest=0, is_inform=0xbfdb68d4, pxe=0) at rfc2131.c:1240
> #7  0x0805fb3e in dhcp_packet (now=1284475079, pxe_fd=0) at dhcp.c:301
> #8  0x0805d7de in main (argc=Cannot access memory at address 0x4
> ) at dnsmasq.c:688
> 
> which points at
> 
> static void add_extradata_data(struct dhcp_lease *lease, unsigned char *data, size_t len, int delim)
> {
>   if ((lease->extradata_size - lease->extradata_len) < (len + 1))
>     {
>       size_t newsz = lease->extradata_len + len + 100;
>       unsigned char *new = whine_malloc(newsz);
>   
>       if (!new)
>         return;
>       
>       if (lease->extradata)
>         {
>           memcpy(new, lease->extradata, lease->extradata_len);
> HERE ==>  free(lease->extradata);
>         }
> 
>       lease->extradata = new;
>       lease->extradata_size = newsz;
>     }
> 
>   if (len != 0)
>     memcpy(lease->extradata + lease->extradata_len, data, len);
>   lease->extradata[lease->extradata_len + len] = delim;
>   lease->extradata_len += len + 1; 
> }
> 
> So I seems lease->extradata isn't a pointer returned by malloc(), thus
> you should try to free it.  I've got to leave now, hope it gives you
> enough info to actually pinpoint the problem.  I'm keeping the core
> files for further investigation (and also send them if needed).

Many thanks for taking the time to get this, I think I see the problem.
Could you try the following?

at src/rfc2131.c line 1237 which is

free(lease->extradata);

add an extra line

lease->extradata = NULL;

and see if that fixes the crashes.

Cheers,

Simon.