[Dnsmasq-discuss] crash on double free
Ferenc Wagner
wferi at niif.hu
Mon Sep 20 16:24:48 BST 2010
Simon Kelley <simon at thekelleys.org.uk> writes:
> On 15/09/10 12:07, Ferenc Wagner wrote:
>
>> However, I also got a different crash with the original binary. I hope
>> it's a different realisation of the same problem, can you confirm?
>>
>> (gdb) bt
>> #0 0xb7599d5a in memcpy () from /lib/i686/cmov/libc.so.6
>> #1 0x080623d0 in add_extradata_data (lease=0xb74f6fac,
>> data=0xb7182b68 "Linux ipconfigÿ\001þ\006\004\nú\001þ\017\talma.grid\f\02152-54-00-12-34-56\021\020/var/lib/nfsrootÿ", len=3071814504, delim=0) at rfc2131.c:1533
>> #2 0x0806242c in add_extradata_opt (lease=0xb74f6fac, opt=<value optimized out>) at rfc2131.c:1555
>> #3 0x08067040 in dhcp_reply (context=0xb74bafc4, iface_name=0xbfda1124 "br-alma-g", int_index=10,
>> sz=283, now=1284499746, unicast_dest=0, is_inform=0xbfda11a4, pxe=0) at rfc2131.c:1240
>> #4 0x0805fb3e in dhcp_packet (now=1284499746, pxe_fd=0) at dhcp.c:301
>> #5 0x0805d7de in main (argc=Cannot access memory at address 0x3
>> ) at dnsmasq.c:688
>> (gdb) up
>> #1 0x080623d0 in add_extradata_data (lease=0xb74f6fac,
>> data=0xb7182b68 "Linux ipconfigÿ\001þ\006\004\nú\001þ\017\talma.grid\f\02152-54-00-12-34-56\021\020/var/lib/nfsrootÿ", len=3071814504, delim=0) at rfc2131.c:1533
>> 1533 memcpy(lease->extradata + lease->extradata_len, data, len);
>>
>> The passed-in value of "len" is obviously bogus here.
>>
>> (gdb) p lease->extradata
>> $1 = (unsigned char *) 0xb7184f8c "Linux ipconfig"
>> (gdb) p lease->extradata_len
>> $2 = 0
>> (gdb) p data
>> $3 = (
>> unsigned char *) 0xb7182b68 "Linux ipconfigÿ\001þ\006\004\nú\001þ\017\talma.grid\f\02152-54-00-12-34-56\021\020/var/lib/nfsrootÿ"
>
> I can't see any other reason for this problem, I'm pretty sure it's
> down to heap corruption from an earlier double-free.
It's a rather narrow chance, as I was running under electric fence...
>> I'm continuing testing the fix. It usually took me tens of minutes to
>> reproduce the crash, but with the change it already survived more than
>> an hour. Unfortunately, it isn't fully automatic (because of other bugs
>> in other software).
>
> To trigger this bug, there needs to be a dhcp-script, obviously. But
> also the rate of DHCP transactions needs to be fast enough and/or the
> script needs to be slow enough so that a second DHCP transaction
> happens on a lease before the first one has been sent to the
> DHCP-script. This is pretty rare, hence no-one has seen this bug, as
> far as I know, even though it has been lurking for some time (years).
Well, this doesn't fully match my test setup, which contained a single
netbooted Linux continuously rebooting in Qemu. The exotic part is that
the PXE ROM used the network interface natively, while the Linux system
with an added 802.1q tag. So a single lease was ping-ponging between
two different subnets.
--
Cheers,
Feri.
More information about the Dnsmasq-discuss
mailing list