[Dnsmasq-discuss] segmentation fault after upgrade to 2.77

AW arne_woerner at yahoo.com
Wed Jul 26 14:52:51 BST 2017


seems like something weird is going on in helper.c... see the gdb output...


since transfer->file->filename can never be zero (as long as transfer->file plus 20 bytes or so is not zero),it seems like someone is writing zeroes to the stack after the correct transfer->file->filename has been wrilten and b4 strlen() is called(or do they use a register at -O2? nope: pushl  0x40(%esp) // call   3700 <strlen at plt>)...
maybe someone who knows more about transfer->file can see, what is wrong here...
-Arne
gdb output:dnsmasq-dhcp: 3182551826 sent size:  4 option: 28 broadcast  192.168.1.255dnsmasq-dhcp: 3182551826 sent size: 12 option:209   70:78:65:2f:67:72:75:62:2e:63:66:67dnsmasq-dhcp: 3182551826 sent size:  4 option:  3 router  192.168.1.1dnsmasq-tftp: error 8 User aborted the transfer received from 192.168.1.2dnsmasq-tftp: failed sending /var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi to 192.168.1.2dnsmasq-tftp: sent /var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi to 192.168.1.2
Program received signal SIGSEGV, Segmentation fault.0xb7ef0bc6 in __strlen_sse2 () from /usr/lib/libc.so.6(gdb) where#0  0xb7ef0bc6 in __strlen_sse2 () from /usr/lib/libc.so.6#1  0x8002b8b7 in queue_tftp (file_len=203776, filename=0x0, peer=0x8005bf68) at helper.c:819#2  0x8002d3b3 in do_tftp_script_run () at tftp.c:811#3  0x80006875 in main (argc=<optimized out>, argv=<optimized out>) at dnsmasq.c:955(gdb) frame 1#1  0x8002b8b7 in queue_tftp (file_len=203776, filename=0x0, peer=0x8005bf68) at helper.c:819819   filename_len = strlen(filename) + 1;(gdb) list814 815   /* no script */816   if (daemon->helperfd == -1)817     return;818   819   filename_len = strlen(filename) + 1;820   buff_alloc(sizeof(struct script_data) +  filename_len);821   memset(buf, 0, sizeof(struct script_data));822 823   buf->action = ACTION_TFTP;(gdb) print filename$1 = 0x0(gdb) frame 2#2  0x8002d3b3 in do_tftp_script_run () at tftp.c:811811       queue_tftp(transfer->file->size, transfer->file->filename, &transfer->peer);(gdb) list806 807   if ((transfer = daemon->tftp_done_trans))808     {809       daemon->tftp_done_trans = transfer->next;810 #ifdef HAVE_SCRIPT811       queue_tftp(transfer->file->size, transfer->file->filename, &transfer->peer);812 #endif813       free_transfer(transfer);814       return 1;815     }(gdb) print *transfer->file$2 = {refcount = 1, fd = 15, size = 203776, dev = 20, inode = 5570, filename = 0x8005bf68 "/var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi"}

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170726/04b97b01/attachment.html>


More information about the Dnsmasq-discuss mailing list