[Dnsmasq-discuss] crash on double free
Simon Kelley
simon at thekelleys.org.uk
Tue Sep 14 20:48:55 BST 2010
Ferenc Wagner wrote:
> Ferenc Wagner <wferi at niif.hu> writes:
>
>> Ferenc Wagner <wferi at niif.hu> writes:
>>
>>> *** glibc detected *** /usr/sbin/dnsmasq: double free or corruption (top): 0x08ab60b8 ***
>>> [...]
>>>
>>> I've got the core file, but no debugging info. The binary is the Debian
>>> Squeeze one from dnsmasq-base_2.55-1_i386.deb, running on a Lenny
>>> system... I decided to still report this, because I don't think mixing
>>> in this package from another distribution should matter. Maybe I'm wrong.
>>> It's a pity dnsmasq-core-dbg does not exist. Tomorrow I'll probably get
>>> a chance to rebuild the package with debugging info.
>> I rebuilt the 2.55-1 source package under Lenny with debug info, and
>> reproduced the crash. The backtrace is somewhat broken (address
>> 0x2b07\n?!), but maybe still useful:
>>
>> $ gdb dnsmasq core
>> GNU gdb 6.8-debian
>> [...]
>> Core was generated by `/usr/sbin/dnsmasq -d -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq'.
>> Program terminated with signal 6, Aborted.
>> (gdb) bt
>> #0 0xb7719416 in __kernel_vsyscall ()
>> #1 0xb7578640 in raise () from /lib/i686/cmov/libc.so.6
>> #2 0xb757a018 in abort () from /lib/i686/cmov/libc.so.6
>> #3 0xb75b548d in __libc_message () from /lib/i686/cmov/libc.so.6
>> #4 0xb75bb764 in malloc_printerr () from /lib/i686/cmov/libc.so.6
>> #5 0xb75bd966 in free () from /lib/i686/cmov/libc.so.6
>> #6 0x08060346 in do_script_run (now=1284470981) at lease.c:602
>> #7 0x0805d047 in main (argc=Cannot access memory at address 0x2b07
>> ) at dnsmasq.c:617
>>
>> I'll try to link in efence, and hope for a better report.
>
> It said:
>
> ElectricFence Aborting: free(b7215f8c): address not from malloc().
> Illegal instruction (core dumped)
>
> and the backtrace is:
>
> #0 0xb7782416 in __kernel_vsyscall ()
> #1 0xb75dc956 in kill () from /lib/i686/cmov/libc.so.6
> #2 0xb770edd5 in EF_Abort () from /usr/lib/libefence.so.0
> #3 0xb770e159 in free () from /usr/lib/libefence.so.0
> #4 0x080623aa in add_extradata_data (lease=0xb71c7fac,
> data=0xb720fb68 "Linux ipconfigÿ\001þ\006\004\nú\001þ\017\talma.grid\f\02152-54-00-12-34-56\021\020/var/lib/nfsrootÿ", len=14, delim=0) at rfc2131.c:1525
> #5 0x0806242c in add_extradata_opt (lease=0xb71c7fac, opt=<value optimized out>) at rfc2131.c:1555
> #6 0x08067040 in dhcp_reply (context=0xb7549fc4, iface_name=0xbfdb6854 "br-alma-g", int_index=10,
> sz=283, now=1284475079, unicast_dest=0, is_inform=0xbfdb68d4, pxe=0) at rfc2131.c:1240
> #7 0x0805fb3e in dhcp_packet (now=1284475079, pxe_fd=0) at dhcp.c:301
> #8 0x0805d7de in main (argc=Cannot access memory at address 0x4
> ) at dnsmasq.c:688
>
> which points at
>
> static void add_extradata_data(struct dhcp_lease *lease, unsigned char *data, size_t len, int delim)
> {
> if ((lease->extradata_size - lease->extradata_len) < (len + 1))
> {
> size_t newsz = lease->extradata_len + len + 100;
> unsigned char *new = whine_malloc(newsz);
>
> if (!new)
> return;
>
> if (lease->extradata)
> {
> memcpy(new, lease->extradata, lease->extradata_len);
> HERE ==> free(lease->extradata);
> }
>
> lease->extradata = new;
> lease->extradata_size = newsz;
> }
>
> if (len != 0)
> memcpy(lease->extradata + lease->extradata_len, data, len);
> lease->extradata[lease->extradata_len + len] = delim;
> lease->extradata_len += len + 1;
> }
>
> So I seems lease->extradata isn't a pointer returned by malloc(), thus
> you should try to free it. I've got to leave now, hope it gives you
> enough info to actually pinpoint the problem. I'm keeping the core
> files for further investigation (and also send them if needed).
Many thanks for taking the time to get this, I think I see the problem.
Could you try the following?
at src/rfc2131.c line 1237 which is
free(lease->extradata);
add an extra line
lease->extradata = NULL;
and see if that fixes the crashes.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list