Emmanuel Dreyfus <manu@xxxxxxxxxx> wrote: > Using gdb and a watchpoint, I found the place where it gets overwritten. > The bad news is that the only explanation for the overrun strdup is > a heap corruption (I checked the copied string was indeed nul-terminated) I finally tracked it down, using plain old NetBSD built-in debug features of malloc: just ask libc to fill free()'ed memory with some pattern, and suddenty a gdb watchpoint on the corrupted data reveals what happens: #0 0xbb3b1b7c in memset () from /usr/lib/libc.so.12 #1 0x00000080 in ?? () #2 0xbb35c85d in ?? () from /usr/lib/libc.so.12 #3 0xbb35ec2b in free () from /usr/lib/libc.so.12 #4 0xbb7998db in __gf_free (free_ptr=0xbb140618) at mem-pool.c:285 #5 0xbb799fd6 in mem_put (ptr=0xbb140628) at mem-pool.c:537 #6 0xbb75b23c in dict_destroy (this=0xbb140628) at dict.c:469 #7 0xbb75b2e1 in dict_unref (this=0xbb140628) at dict.c:492 #8 0x08050980 in cli_quotad_clnt_rpc_init () at cli.c:556 #9 0x08050ddf in main (argc=4, argv=0xbf7fec5c) at cli.c:705 This is just a use-after-free bug. Here is a proposed fix for review: http://review.gluster.org/8502 -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@xxxxxxxxxx _______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://supercolony.gluster.org/mailman/listinfo/gluster-devel
