Re: Bug#177911: trn4: SEGV in newsgroup selector when server has gone away

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi folks,

Here's a report filed in the Debian bug tracking system.

On Wed, Jan 22, 2003 at 05:06:58PM +0100, Paul Slootman wrote:
> Package: trn4
> Version: 4.0-test76-3
> Severity: normal
> Tags: patch
> 
> trn was sitting in the newsgroup selector for some time, after I had
> quit a newsgroup. When I hit enter to enter the newsgroup again, the
> server had apparently timed out, and trn crashed.
> 
> (gdb) bt
> #0  0x400c6911 in kill () from /lib/libc.so.6
> #1  0x400c6732 in raise () from /lib/libc.so.6
> #2  0x400c7846 in abort () from /lib/libc.so.6
> #3  0x08055976 in sig_catcher (signo=11) at final.c:231
> #4  0x400c6898 in sigaction () from /lib/libc.so.6
> #5  0x0806d4d7 in thread_close () at rthread.c:167
> #6  0x0805055c in close_cache () at cache.c:136
> #7  0x080686c6 in unuse_multirc (mptr=<incomplete type>) at rcstuff.c:204
> #8  0x080557de in finalize (status=-11) at final.c:123
> #9  0x08055a20 in sig_catcher (signo=11) at final.c:268
> #10 0x400c6898 in sigaction () from /lib/libc.so.6
> #11 0x0806d4d7 in thread_close () at rthread.c:167
> #12 0x0805055c in close_cache () at cache.c:136
> #13 0x080686c6 in unuse_multirc (mptr=<incomplete type>) at rcstuff.c:204
> #14 0x08088b42 in nntp_server_died (dp=0x80ca338) at nntp.c:572
> #15 0x08075b40 in sel_dogroups () at rt-select.c:289
> #16 0x08075f95 in newsgroup_selector () at rt-select.c:419
> #17 0x080821b1 in do_multirc () at trn.c:183
> #18 0x08075d0a in multirc_selector () at rt-select.c:344
> #19 0x08082097 in main (argc=7, argv=0xbffff7e4) at trn.c:126
> (gdb) p datasrc
> $1 = (DATASRC *) 0x0
> 
> 
> nntp_server_died() calls close_datasrc(dp)
>   close_datasrc() sets datasrc to NULL if datasrc == dp
> nntp_server_died() then calls unuse_multirc(mp)
>   unuse_multirc() (eventually) calls close_cache()
>     close_cache() calls thread_close()
>       thread_close() calls ov_close()
>         ov_close() uses datasrc as a pointer. Remember that datasrc was
>                    set to NULL in close_datasrc() earlier! Hence the SIGSEGV
> 
> Simple solution is to check datasrc in ov_close() whether it's valid.
> Of course, perhaps the setting to NULL in close_datasrc() is what's
> wrong; AFAICS this at least will prevent the SEGV.

Thanks for the careful analysis and the patch. Figuring out whether
close_datasrc() is wrong here is beyond me, but perhaps somebody on
trn-workers will know.

> diff -ru trn4-4.0-test76/rt-ov.c trn4-4.0-test76.mine/rt-ov.c
> --- trn4-4.0-test76/rt-ov.c	2000-05-28 22:43:37.000000000 +0200
> +++ trn4-4.0-test76.mine/rt-ov.c	2003-01-22 16:32:37.000000000 +0100
> @@ -483,6 +483,8 @@
>  void
>  ov_close()
>  {
> +    if (!datasrc)
> +        return;
>      if (datasrc->ov_opened) {
>  	if (datasrc->ov_in) {
>  	    (void) fclose(datasrc->ov_in);

This makes sense to me, so I've applied it to the Debian package. Well,
actually, I preferred this:

--- trn4-4.0-test76.orig/rt-ov.c
+++ trn4-4.0-test76/rt-ov.c
@@ -483,7 +483,7 @@
 void
 ov_close()
 {
-    if (datasrc->ov_opened) {
+    if (datasrc && datasrc->ov_opened) {
 	if (datasrc->ov_in) {
 	    (void) fclose(datasrc->ov_in);
 	    datasrc->ov_in = NULL;

... not that it's very important either way.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

[Index of Archives]     [Photo]     [Yosemite]     [Epson Inkjet]     [Mhonarc]     [Nntpcache]

  Powered by Linux