[Dnsmasq-discuss] crash on double free

Ferenc Wagner wferi at niif.hu
Tue Sep 14 15:48:09 BST 2010 

Ferenc Wagner <wferi at niif.hu> writes:

> Ferenc Wagner <wferi at niif.hu> writes:
>
>> *** glibc detected *** /usr/sbin/dnsmasq: double free or corruption (top): 0x08ab60b8 ***
>> [...]
>>
>> I've got the core file, but no debugging info.  The binary is the Debian
>> Squeeze one from dnsmasq-base_2.55-1_i386.deb, running on a Lenny
>> system...  I decided to still report this, because I don't think mixing
>> in this package from another distribution should matter.  Maybe I'm wrong.
>> It's a pity dnsmasq-core-dbg does not exist.  Tomorrow I'll probably get
>> a chance to rebuild the package with debugging info.
>
> I rebuilt the 2.55-1 source package under Lenny with debug info, and
> reproduced the crash.  The backtrace is somewhat broken (address
> 0x2b07\n?!), but maybe still useful:
>
> $ gdb dnsmasq core
> GNU gdb 6.8-debian
> [...]
> Core was generated by `/usr/sbin/dnsmasq -d -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq'.
> Program terminated with signal 6, Aborted.
> (gdb) bt
> #0  0xb7719416 in __kernel_vsyscall ()
> #1  0xb7578640 in raise () from /lib/i686/cmov/libc.so.6
> #2  0xb757a018 in abort () from /lib/i686/cmov/libc.so.6
> #3  0xb75b548d in __libc_message () from /lib/i686/cmov/libc.so.6
> #4  0xb75bb764 in malloc_printerr () from /lib/i686/cmov/libc.so.6
> #5  0xb75bd966 in free () from /lib/i686/cmov/libc.so.6
> #6  0x08060346 in do_script_run (now=1284470981) at lease.c:602
> #7  0x0805d047 in main (argc=Cannot access memory at address 0x2b07
> ) at dnsmasq.c:617
>
> I'll try to link in efence, and hope for a better report.

It said:

ElectricFence Aborting: free(b7215f8c): address not from malloc().
Illegal instruction (core dumped)

and the backtrace is:

#0  0xb7782416 in __kernel_vsyscall ()
#1  0xb75dc956 in kill () from /lib/i686/cmov/libc.so.6
#2  0xb770edd5 in EF_Abort () from /usr/lib/libefence.so.0
#3  0xb770e159 in free () from /usr/lib/libefence.so.0
#4  0x080623aa in add_extradata_data (lease=0xb71c7fac, 
    data=0xb720fb68 "Linux ipconfigÿ\001þ\006\004\nú\001þ\017\talma.grid\f\02152-54-00-12-34-56\021\020/var/lib/nfsrootÿ", len=14, delim=0) at rfc2131.c:1525
#5  0x0806242c in add_extradata_opt (lease=0xb71c7fac, opt=<value optimized out>) at rfc2131.c:1555
#6  0x08067040 in dhcp_reply (context=0xb7549fc4, iface_name=0xbfdb6854 "br-alma-g", int_index=10, 
    sz=283, now=1284475079, unicast_dest=0, is_inform=0xbfdb68d4, pxe=0) at rfc2131.c:1240
#7  0x0805fb3e in dhcp_packet (now=1284475079, pxe_fd=0) at dhcp.c:301
#8  0x0805d7de in main (argc=Cannot access memory at address 0x4
) at dnsmasq.c:688

which points at

static void add_extradata_data(struct dhcp_lease *lease, unsigned char *data, size_t len, int delim)
{
  if ((lease->extradata_size - lease->extradata_len) < (len + 1))
    {
      size_t newsz = lease->extradata_len + len + 100;
      unsigned char *new = whine_malloc(newsz);
  
      if (!new)
        return;
      
      if (lease->extradata)
        {
          memcpy(new, lease->extradata, lease->extradata_len);
HERE ==>  free(lease->extradata);
        }

      lease->extradata = new;
      lease->extradata_size = newsz;
    }

  if (len != 0)
    memcpy(lease->extradata + lease->extradata_len, data, len);
  lease->extradata[lease->extradata_len + len] = delim;
  lease->extradata_len += len + 1; 
}

So I seems lease->extradata isn't a pointer returned by malloc(), thus
you should try to free it.  I've got to leave now, hope it gives you
enough info to actually pinpoint the problem.  I'm keeping the core
files for further investigation (and also send them if needed).
-- 
Thanks,
Feri.

More information about the Dnsmasq-discuss mailing list