View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003689unrealircdpublic2008-05-04 11:102009-01-18 17:22
ReporterMonk Assigned Tosyzop  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Platformi386OSLinuxOS VersionDebian Lenny
Product Version3.2.7 
Fixed in Version3.2.8 
Summary0003689: Address out of bounds
Description=================== START HERE ======================
BACKTRACE:
Using host libthread_db library "/lib/i686/cmov/libthread_db.so.1".

warning: Can't read pathname for load map: Input/output error.
Core was generated by `/home/wintermute/lircd/lircd'.
Program terminated with signal 11, Segmentation fault.
#0 match (mask=0x20736e69 <Address 0x20736e69 out of bounds>, name=0x818d4a2 "PotFun.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {
#0 match (mask=0x20736e69 <Address 0x20736e69 out of bounds>, name=0x818d4a2 "PotFun.MindForge.org") at match.c:411
#1 0xb7beb9d6 in m_server_remote (cptr=0x818d3b8, sptr=0x818f828, parc=5, parv=0x8123000) at m_server.c:520
#2 0xb7beda1f in m_server (cptr=0x818d3b8, sptr=0x818f828, parc=5, parv=0x8123000) at m_server.c:443
#3 0x0806a1ab in parse (cptr=0x818d3b8, buffer=0x818d49c "@3A '", bufend=0x818d4cd "") at parse.c:440
#4 0x0806948b in dopacket (cptr=0x818d3b8, buffer=0x80b61c0 "\020pûG^*úqÐÁÀ[a\200\rf\r&`Dd3i*Dy\006", length=1) at packet.c:138
#5 0x0805abad in read_message (delay=1, listp=0x815e3a0) at s_bsd.c:1475
#6 0x08064c57 in main (argc=<value optimized out>, argv=0xbf94abb4) at ircd.c:1597

#0 match (mask=0x20736e69 <Address 0x20736e69 out of bounds>, name=0x818d4a2 "PotFun.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {

0x816b640 <backupbuf>: "@3A ' PotFun.MindForge.org 4 228 :Taste the stuff"

#0 match (mask=0x20736e69 <Address 0x20736e69 out of bounds>, name=0x818d4a2 "PotFun.MindForge.org") at match.c:411
No locals.
#1 0xb7beb9d6 in m_server_remote (cptr=0x818d3b8, sptr=0x818f828, parc=5, parv=0x8123000) at m_server.c:520
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bcptr = <value optimized out>
        bconf = <value optimized out>
        info = "Taste the stuff", '\0' <repeats 95 times>
        numeric = 228
        servername = 0x818d4a2 "PotFun.MindForge.org"
        i = <value optimized out>
#2 0xb7beda1f in m_server (cptr=0x818d3b8, sptr=0x818f828, parc=5, parv=0x8123000) at m_server.c:443
        xerrmsg = "\202È·\000\000\000\000\000\000\000\000\001\214È·)\2228\b)\2228\bÛÔ\030\b}w\000\000\000\000\000\000\000\000\000\000TÛ×·\r\000\000\000\aö$\b(ï\031\b-b\v\b\000\000\000\000\f=\023\b_<\023\b^»\024\b\000\200\000\000m­\000\000á­\000\000F®\000\000f®\000\000Ú®\000\000B¯\000\000§¯\000\000ǯ\000\000:°\000\000®°\000\000#±\000\000\211±\000\000\006²\000\000°\000\000\000r\000\000\000H¥\224¿\031±×·C{)r\020=\023\b\000\000\000\000xøÀ·\000\000\000\000\000\000\000\0008¥\224¿\216¿½·$¥\224¿\000\000\000\000ØRÀ·ÿ\001\000\0000\207À·¨"...
        link = <value optimized out>
        servername = 0x818d4a2 "PotFun.MindForge.org"
        inpath = 0x8123be0 "JaMei.MindForge.org[@127.0.0.1.0]"
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bconf = <value optimized out>
        numeric = <value optimized out>
        info = "øÀ·\0000\022\b¸Ó\030\b8¥\224¿Êü¼·¸Ó\030\bPeÀ·`0\022\bµÔ\030\b¸Ô\030\bXD&\b8¥\224¿\001\000\000\000¸Ó\030\000\000\000\000\000¤²\030\bx\023\034\b\b°\030\b\032\000\000\0008¥\224¿:\227\006\bHç\033\b Ô\030\b8¥\224¿¶Ô\030\b\0000\000\b'\000\000\000\vؾ·"
        aconf = <value optimized out>
        deny = <value optimized out>
        flags = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        protocol = <value optimized out>
        inf = <value optimized out>
        num = <value optimized out>
GCC: gcc version 4.2.3 (Debian 4.2.3-3)
UNAME: Linux server105.gigenet.com 2.6.24-1-686 #1 SMP Sat Apr 19 00:37:55 UTC 2008 i686 GNU/Linux
UNREAL: Unreal3.2.7 build 1.1.1.1.2.1.2.1.2.2234.2.676 2007/07/13 10:43:04
CORE: -rw------- 1 wintermute wintermute 10461184 2008-05-03 16:44 core.19750
=================== STOP HERE ======================


=================== START HERE ======================
BACKTRACE:
Using host libthread_db library "/lib/i686/cmov/libthread_db.so.1".

warning: Can't read pathname for load map: Input/output error.
Core was generated by `/home/neuromancer/lircd/lircd'.
Program terminated with signal 11, Segmentation fault.
#0 match (mask=0x20736e69 <Address 0x20736e69 out of bounds>, name=0x8192461 "Wintermute.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {
#0 match (mask=0x20736e69 <Address 0x20736e69 out of bounds>, name=0x8192461 "Wintermute.MindForge.org") at match.c:411
#1 0xb7bd29d6 in m_server_remote (cptr=0x8192378, sptr=0x8192378, parc=5, parv=0x8123000) at m_server.c:520
#2 0xb7bd4a1f in m_server (cptr=0x8192378, sptr=0x8192378, parc=5, parv=0x8123000) at m_server.c:443
#3 0x0806a1ab in parse (cptr=0x8192378, buffer=0x819245c "@A '", bufend=0x8192489 "") at parse.c:440
#4 0x0806948b in dopacket (cptr=0x8192378,
    buffer=0x80b61c0 "då\225è\233\212~|K°¯?p˨\225\006\0230Ô³\2314\025¢<\003|\200,\005lj\201ãÉ »\001\201·\002\0027\017¢\036G\026í`\b<rÇ", length=96)
    at packet.c:138
#5 0x0805abad in read_message (delay=1, listp=0x815e3a0) at s_bsd.c:1475
#6 0x08064c57 in main (argc=<value optimized out>, argv=0xbfd40f94) at ircd.c:1597

#0 match (mask=0x20736e69 <Address 0x20736e69 out of bounds>, name=0x8192461 "Wintermute.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {

0x816b640 <backupbuf>: "@A ' Wintermute.MindForge.org 2 30 :MindForge"

#0 match (mask=0x20736e69 <Address 0x20736e69 out of bounds>, name=0x8192461 "Wintermute.MindForge.org") at match.c:411
No locals.
#1 0xb7bd29d6 in m_server_remote (cptr=0x8192378, sptr=0x8192378, parc=5, parv=0x8123000) at m_server.c:520
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bcptr = <value optimized out>
        bconf = <value optimized out>
        info = "MindForge", '\0' <repeats 101 times>
        numeric = 30
        servername = 0x8192461 "Wintermute.MindForge.org"
        i = <value optimized out>
#2 0xb7bd4a1f in m_server (cptr=0x8192378, sptr=0x8192378, parc=5, parv=0x8123000) at m_server.c:443
        xerrmsg = '\0' <repeats 27 times>, "ìÔ\000\000\000\000\000\000\000\000\000\000TKÖ·\r\000\000\000o\023%\b¸Ó\030\b7b\v\bÿÿÿÿW=\023\b_<\023\b^»\024\b\000\200\000\000Æá\000\000'â\000\000\223â\000\000øâ\000\000kã\000\000\213ã\000\000¶ã\000\000,ä\000\000\224ä\000\000´ä\000\000 å\000\000\217å\000\000÷é\000\000\n\001\000\000|\000\000\000(\tÔ¿\031!Ö·¨\223Òï`=\023\b\n", '\0' <repeats 15 times>, "¼\bÔ¿xh¿·`0\022\bx#\031\bh$\031\bÿ\001\000\000\033$\031\b:\000\000\000\210\bÔ¿~$\006\bh$\031\bxmp\b\001\000\000"...
        link = <value optimized out>
        servername = 0x8192461 "Wintermute.MindForge.org"
        inpath = 0x8123be0 "JaMei.MindForge.org[@127.0.0.1.0]"
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bconf = <value optimized out>
        numeric = <value optimized out>
        info = "h¿·\0000\022\bx#\031\b\030\tÔ¿Êl»·x#\031\bPÕ¾·`0\022\bu$\031\bx$\031\bèâ\233\bô\bÔ¿\001\000\000\000i$\031\000\000\000\000\000¤²\030\b¸\035\034\b\b°\030\b\032\000\000\000\030\tÔ¿:\227\006\b\210ñ\033\b_$\031\b\030\tÔ¿v$\031\b\0000\000\b'\000\000\000\vH½·"
        aconf = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        deny = <value optimized out>
        flags = <value optimized out>
        protocol = <value optimized out>
        inf = <value optimized out>
        num = <value optimized out>
GCC: gcc version 4.2.3 (Debian 4.2.3-3)
UNAME: Linux server105.gigenet.com 2.6.24-1-686 #1 SMP Sat Apr 19 00:37:55 UTC 2008 i686 GNU/Linux
UNREAL: Unreal3.2.7 build 1.1.1.1.2.1.2.1.2.2234.2.676 2007/07/13 10:43:04
CORE: -rw------- 1 neuromancer neuromancer 10440704 2008-05-03 16:20 core.24573
=================== STOP HERE ======================

Setup is following:
A server with 5 IPs. On the server is running:
- A hub (JaMei)
- Two leafs (neuromancer & wintermute)
- Both leafs linked to the hub over localhost
- Both leafs segfaulted numerous times with the backtraces posted above

It's a new box and the problems surfaced shortly after setting them up. After simple restarting them a few times the problem did not come up again so far.

Regards,

Monk
TagsNo tags attached.
3rd party modules

Activities

syzop

2008-08-08 09:35

administrator   ~0015345

Hm.. odd..
Crash is here:
        if (match(aconf->hubmask, servername))
because aconf->hubmask is a bad pointer... (servername is good)
strange..

Almost like it has accidentally freed the aconf (aconf = cptr->serv->conf) which would be odd because this should never happen since it uses reference counters and such, hmz.

Are you still experiencing this issue Monk? Is there a nice way to reproduce this? (sounds quite hard?)
Is perhaps a certain rehash sequence required?

Monk

2008-08-18 20:27

reporter   ~0015368

syzop, I guess your question triggers this crash :p ... no seriously two days ago it happened again, sofar we couldn't reproduce it. When the crash of the following backtrace happened, nothing was done on the box, i.e. no rehash or work whatsoever and the box had been running for some weeks.
This time the crash happened on a different box than the one above. Interesting to note is that this box uses the same config (two leafs connect to a local hub over 127.0.0.1) as the box above
The only thing we changed recently was to enable the identd checking in the conf. Dunno if this may be related.

On a sidenote: Also not proven to be related but it seems that since we enabled the identd checks we are experiencing a lot more splits than ever before. Is there a way to get more meaningful debug output why two boxes chose to split?

=================== START HERE ======================
BACKTRACE:
warning: Can't read pathname for load map: Input/output error.
Core was generated by `/home/light/lircd/lircd'.
Program terminated with signal 11, Segmentation fault.
[New process 6310]
#0 match (mask=0x646e6120 <Address 0x646e6120 out of bounds>, name=0x81918b9 "PotFun.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {
#0 match (mask=0x646e6120 <Address 0x646e6120 out of bounds>, name=0x81918b9 "PotFun.MindForge.org") at match.c:411
#1 0xb7c3c225 in m_server_remote (cptr=0x81917d0, sptr=0x83182a0, parc=5, parv=0x8124de0) at m_server.c:520
#2 0xb7c3ca91 in m_server (cptr=0x81917d0, sptr=0x83182a0, parc=5, parv=0x8124de0) at m_server.c:443
#3 0x0806b417 in parse (cptr=0x81917d0, buffer=0x81918b4 "@A '", bufend=0x81918e4 "") at parse.c:440
#4 0x0806a5f8 in dopacket (cptr=0x81917d0,
    buffer=0x80b7fa0 "¬\235Yo\"G\020ǥݷHù\016ýäÍ¡é0Ì00y2øXá\vä\003{m­,.Ûx±A\200ͱY¾E¾o~UÝÃÚ\016ÉC\024ddÍ\f]ÕGuMwuÕ¿°\217\037v{oìÕ'\2075ü!\177ÿé\235À\226¼ûÙ \\VëxÐ~1ë~K\220b}0Ù}z|Mãj³\204\2371«Þ|\0368o°Ör\237ÕÎÓBÒî$£ÍfÙ|X[\222\025p\036?C¼^å\030Cð¥\bÁW\r´\216\217ù§º®ý1\225]Ó\206«³£ý£ÚùÑf\222Ú(¥Æ\t", length=2280)
    at packet.c:138
#5 0x0805ab46 in read_message (delay=1, listp=0x815b760) at s_bsd.c:1475
#6 0x08065910 in main (argc=0, argv=0xbfb8f664) at ircd.c:1616

#0 match (mask=0x646e6120 <Address 0x646e6120 out of bounds>, name=0x81918b9 "PotFun.MindForge.org") at match.c:411
411 if (mask[0] == '*' && mask[1] == '!') {

0x816d320 <backupbuf>: "@A ' PotFun.MindForge.org 4 228 :Taste the stuff"

#0 match (mask=0x646e6120 <Address 0x646e6120 out of bounds>, name=0x81918b9 "PotFun.MindForge.org") at match.c:411
No locals.
#1 0xb7c3c225 in m_server_remote (cptr=0x81917d0, sptr=0x83182a0, parc=5, parv=0x8124de0) at m_server.c:520
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bcptr = <value optimized out>
        bconf = <value optimized out>
        hop = 4
        info = "Taste the stuff", '\0' <repeats 95 times>
        numeric = 228
        servername = 0x81918b9 "PotFun.MindForge.org"
        i = <value optimized out>
#2 0xb7c3ca91 in m_server (cptr=0x81917d0, sptr=0x83182a0, parc=5, parv=0x8124de0) at m_server.c:443
        servername = 0x81918b9 "PotFun.MindForge.org"
        ch = <value optimized out>
        inpath = 0x81259c0 "matrix.MindForge.org[[email protected]]"
        acptr = <value optimized out>
        ocptr = <value optimized out>
        bconf = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        hop = <value optimized out>
        numeric = <value optimized out>
        info = "üÅ· \2021\bÐ\027\031\bØ帿ÚéÁ·\000\027\232\t\023]Å·Éø\025\b)\027\232\tÐ\030\031\b\001\000\000\000\177\000\000\000°\202\031\b¤Ò\030\b\000\000\000\000\023]Å·Éø\025\b\bÐ\030\b\032\000\000\000Ø帿\204©\006\bð7\034\b·\030\031\b\000\000\000\000&1\006\b\000\000\000\000'\000\000\000\033È÷"
        aconf = <value optimized out>
        deny = <value optimized out>
        flags = <value optimized out>
        protocol = <value optimized out>
        inf = <value optimized out>
        num = <value optimized out>
GCC: gcc version 4.3.1 (Debian 4.3.1-2)
UNAME: Linux server137.gigenet.com 2.6.24-1-686 #1 SMP Thu May 8 02:16:39 UTC 2008 i686 GNU/Linux
UNREAL: Unreal3.2.7 build 1.1.1.1.2.1.2.1.2.2234.2.676 2007/07/13 10:43:04
CORE: -rw------- 1 light light 27828224 2008-08-15 17:44 core.6310
=================== STOP HERE ======================

syzop

2008-08-20 11:15

administrator   ~0015369

Hehe ;)

Well, at least it crashes consistently at the same place...

Could you send me (or upload it somewhere): 1) the core dump, 2) ircd binary, 3) commands.so binary
Zipped/tarred/rarred/whatever
to [email protected]
?

I'll have a look then.

As for the splits, at least one of the servers (well, usually both) give some sort of error message, sometimes it helps to look on both sides... connection reset by peer? ping timeout? :)
The only thing identd could do is slow down the connecting stage (due to ident getting resolved) like when port 113 is firewalled, but after the first few seconds everything should be normal.

syzop

2008-12-27 12:24

administrator   ~0015536

Fixed in .731:
- Fixed crash which could happen when rehashing while linking to a server,
  this could be 0003689 reported by Monk.

I know you said you didn't rehash, but ah well.. perhaps this is it, perhaps it isn't :P.
It does at least cause the same crash at the same location.

syzop

2009-01-18 17:22

administrator   ~0015680

I'm closing this one. If this still happens with 3.2.8-rc1 or later, let us know.

Issue History

Date Modified Username Field Change
2008-05-04 11:10 Monk New Issue
2008-08-08 09:35 syzop Note Added: 0015345
2008-08-18 20:27 Monk Note Added: 0015368
2008-08-20 11:15 syzop Note Added: 0015369
2008-12-27 12:24 syzop Note Added: 0015536
2009-01-18 17:22 syzop QA => Not touched yet by developer
2009-01-18 17:22 syzop U4: Need for upstream patch => No need for upstream InspIRCd patch
2009-01-18 17:22 syzop Status new => resolved
2009-01-18 17:22 syzop Fixed in Version => 3.2.8
2009-01-18 17:22 syzop Resolution open => fixed
2009-01-18 17:22 syzop Assigned To => syzop
2009-01-18 17:22 syzop Note Added: 0015680