Re: in dict.c, this gets replace by environment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Emmanuel Dreyfus <manu@xxxxxxxxxx> wrote:

> Using gdb and a watchpoint, I found the place where it gets overwritten.
> The bad news is that the only explanation for the overrun strdup is 
> a heap corruption (I checked the copied string was indeed nul-terminated)

I finally tracked it down, using plain old NetBSD built-in debug
features of malloc: just  ask libc to fill free()'ed memory with some
pattern, and suddenty a gdb watchpoint on the corrupted data reveals
what happens:

#0  0xbb3b1b7c in memset () from /usr/lib/libc.so.12
#1  0x00000080 in ?? ()
#2  0xbb35c85d in ?? () from /usr/lib/libc.so.12
#3  0xbb35ec2b in free () from /usr/lib/libc.so.12
#4  0xbb7998db in __gf_free (free_ptr=0xbb140618) at mem-pool.c:285
#5  0xbb799fd6 in mem_put (ptr=0xbb140628) at mem-pool.c:537
#6  0xbb75b23c in dict_destroy (this=0xbb140628) at dict.c:469
#7  0xbb75b2e1 in dict_unref (this=0xbb140628) at dict.c:492
#8  0x08050980 in cli_quotad_clnt_rpc_init () at cli.c:556
#9  0x08050ddf in main (argc=4, argv=0xbf7fec5c) at cli.c:705

This is just a use-after-free bug. Here is a proposed fix for review:
http://review.gluster.org/8502

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@xxxxxxxxxx
_______________________________________________
Gluster-devel mailing list
Gluster-devel@xxxxxxxxxxx
http://supercolony.gluster.org/mailman/listinfo/gluster-devel




[Index of Archives]     [Gluster Users]     [Ceph Users]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux