[Dnsmasq-discuss] segmentation fault after upgrade to 2.77
AW
arne_woerner at yahoo.com
Wed Jul 26 14:52:51 BST 2017
seems like something weird is going on in helper.c... see the gdb output...
since transfer->file->filename can never be zero (as long as transfer->file plus 20 bytes or so is not zero),it seems like someone is writing zeroes to the stack after the correct transfer->file->filename has been wrilten and b4 strlen() is called(or do they use a register at -O2? nope: pushl 0x40(%esp) // call 3700 <strlen at plt>)...
maybe someone who knows more about transfer->file can see, what is wrong here...
-Arne
gdb output:dnsmasq-dhcp: 3182551826 sent size: 4 option: 28 broadcast 192.168.1.255dnsmasq-dhcp: 3182551826 sent size: 12 option:209 70:78:65:2f:67:72:75:62:2e:63:66:67dnsmasq-dhcp: 3182551826 sent size: 4 option: 3 router 192.168.1.1dnsmasq-tftp: error 8 User aborted the transfer received from 192.168.1.2dnsmasq-tftp: failed sending /var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi to 192.168.1.2dnsmasq-tftp: sent /var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi to 192.168.1.2
Program received signal SIGSEGV, Segmentation fault.0xb7ef0bc6 in __strlen_sse2 () from /usr/lib/libc.so.6(gdb) where#0 0xb7ef0bc6 in __strlen_sse2 () from /usr/lib/libc.so.6#1 0x8002b8b7 in queue_tftp (file_len=203776, filename=0x0, peer=0x8005bf68) at helper.c:819#2 0x8002d3b3 in do_tftp_script_run () at tftp.c:811#3 0x80006875 in main (argc=<optimized out>, argv=<optimized out>) at dnsmasq.c:955(gdb) frame 1#1 0x8002b8b7 in queue_tftp (file_len=203776, filename=0x0, peer=0x8005bf68) at helper.c:819819 filename_len = strlen(filename) + 1;(gdb) list814 815 /* no script */816 if (daemon->helperfd == -1)817 return;818 819 filename_len = strlen(filename) + 1;820 buff_alloc(sizeof(struct script_data) + filename_len);821 memset(buf, 0, sizeof(struct script_data));822 823 buf->action = ACTION_TFTP;(gdb) print filename$1 = 0x0(gdb) frame 2#2 0x8002d3b3 in do_tftp_script_run () at tftp.c:811811 queue_tftp(transfer->file->size, transfer->file->filename, &transfer->peer);(gdb) list806 807 if ((transfer = daemon->tftp_done_trans))808 {809 daemon->tftp_done_trans = transfer->next;810 #ifdef HAVE_SCRIPT811 queue_tftp(transfer->file->size, transfer->file->filename, &transfer->peer);812 #endif813 free_transfer(transfer);814 return 1;815 }(gdb) print *transfer->file$2 = {refcount = 1, fd = 15, size = 203776, dev = 20, inode = 5570, filename = 0x8005bf68 "/var/dnsmasq/tftpboot/pxe/x86_64-efi/core.efi"}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170726/04b97b01/attachment.html>
More information about the Dnsmasq-discuss
mailing list