View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0004219unrealircdpublic2013-06-01 18:212014-01-12 10:43
Reportergrawity Assigned Tosyzop  
PrioritynormalSeveritycrashReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version3.2.10.1 
Fixed in Version3.2.10.3 
Summary0004219: SASL crash (caused by remote server)
DescriptionI was testing a custom SaslServ module on a small network, and somehow it crashed two servers out of three. (Interesting that it did not affect the ircd that services were linked to directly.) All three were running Unreal 3.2.10.
Additional InformationNetwork layout:
  radian.cluenet.org
  |-decay.nullroute.eu.org [crashed]
  |-virgule.cluenet.org [crashed]
  `-services.cluenet.org [origin]

Backtrace:

(gdb) bt full
#0 0xb71d3c49 in ?? ()
No symbol table info available.
#1 0xb71d3f18 in ?? ()
No symbol table info available.
#2 0x0806fce5 in parse (cptr=0xd, buffer=0x988e2f4 ":SaslServ SY", bufend=0x988e336 "")
    at parse.c:451
        h = <value optimized out>
        buf_len = 0
        from = 0x9b8ab70
        ch = <value optimized out>
        s = <value optimized out>
        i = <value optimized out>
        numeric = 0
        paramcount = -1219653952
        cmptr = 0x988e315
#3 0x0806efd3 in dopacket (cptr=0x988e210,
    buffer=0x810e7a0 ":SaslServ SY virgule.cluenet.org virgule.cluenet.org!13.28011 C + \r\ner navbox\003\061\064]]\003\064 \003\061\060 \003\060\062http://en.wikipedia.org/w/index.php?diff=557848190&oldid=557414500\003 \003\065*\003 \003\060\063Mikemor92\003 \003\065*\003 (+24) \003\061\060\003\003 # N/"..., length=1) at packet.c:138
        ch1 = 0x0
        ch2 = 0x810e7e3 "\ner navbox\003\061\064]]\003\064 \003\061\060 \003\060\062http://en.wikipedia.org/w/index.php?diff=557848190&oldid=557414500\003 \003\065*\003 \003\060\063Mikemor92\003 \003\065*\003 (+24) \003\061\060\003\003 # N/A # Outside of valid namespaces # Not reverted\r\nerror 16) using [[P"...
        acpt = <value optimized out>
        zipped = 0
#4 0x0805cc45 in read_packet (cptr=0x988e210, doread=28011) at s_bsd.c:1595
        dolen = 0
        length = -1219653952
        done = <value optimized out>
        now = 1370102824
---Type <return> to continue, or q <return> to quit---
#5 0x0805f36b in read_message (delay=1, listp=0x8191b20) at s_bsd.c:2142
        cptr = 0x988e210
        nfds = <value optimized out>
        pfd = <value optimized out>
        aresfds = {0 <repeats 16 times>}
        read_set = {__fds_bits = {0 <repeats 32 times>}}
        write_set = {__fds_bits = {0 <repeats 32 times>}}
        j = <value optimized out>
        k = <value optimized out>
        v = <value optimized out>
        delay2 = <value optimized out>
        res = 135313256
        length = 1
        fd = <value optimized out>
        i = 1
        sockerr = <value optimized out>
#6 0x0806a368 in main (argc=<value optimized out>, argv=0xbfbdaf24) at ircd.c:1867
        uid = 25
        euid = 26
        gid = 1370102824
        egid = 64
        delay = 1
        portarg = <value optimized out>
        corelim = {rlim_cur = 4294967295, rlim_max = 4294967295}
        nextfdlistcheck = 1370102826
TagsNo tags attached.
3rd party modules

Activities

grawity

2013-06-01 18:27

reporter   ~0017700

It should be noted that this happened after the following exchange:

--> CAP REQ :sasl
--> NICK test
--> USER a a a a
--> AUTHENTICATE GSSAPI
<-- :decay.nullroute.eu.org NOTICE AUTH :*** Looking up your hostname...
<-- :decay.nullroute.eu.org NOTICE AUTH :*** Found your hostname (cached)
<-- :decay.nullroute.eu.org NOTICE AUTH :*** Checking ident...
<-- :decay.nullroute.eu.org NOTICE AUTH :*** Received identd response
<-- :decay.nullroute.eu.org CAP * ACK :sasl
<-- PING :C786C282
<-- AUTHENTICATE +
--> AUTHENTICATE +
<-- AUTHENTICATE +
--> AUTHENTICATE +
<-- AUTHENTICATE +
--> AUTHENTICATE +
<-- AUTHENTICATE +
--> AUTHENTICATE +
^C

(my SASL client script mistakenly kept sending null replies)

syzop

2013-06-03 13:25

administrator   ~0017701

I'll leave this to nenolod or someone else.

But perhaps you could run './unreal backtrace' to get a better backtrace (due to dynamic module names).

grawity

2013-06-03 14:15

reporter   ~0017703

=================== START HERE ======================
BACKTRACE:

warning: Can't read pathname for load map: Input/output error.
Failed to read a valid object file image from memory.
Core was generated by `/cluenet/irc/unreal/ircd'.
Program terminated with signal 11, Segmentation fault.
#0 0xb71d3c49 in decode_puid (puid=0x988e315 "virgule.cluenet.org") at m_sasl.c:123
123 if (cookie && client->sasl_cookie != cookie)
#0 0xb71d3c49 in decode_puid (puid=0x988e315 "virgule.cluenet.org") at m_sasl.c:123
#1 0xb71d3f18 in m_sasl (cptr=0x988e210, sptr=0x9b8ab70, parc=5, parv=0x817b660) at m_sasl.c:210
#2 0x0806fce5 in parse (cptr=0x988e210, buffer=0x988e2f4 ":SaslServ SY", bufend=0x988e336 "") at parse.c:451
#3 0x0806efd3 in dopacket (cptr=0x988e210,
    buffer=0x810e7a0 ":SaslServ SY virgule.cluenet.org virgule.cluenet.org!13.28011 C + \r\ner navbox\003\061\064]]\003\064 \003\061\060 \003\060\062http://en.wikipedia.org/w/index.php?diff=557848190&oldid=557414500\003 \003\065*\003 \003\060\063Mikemor92\003 \003\065*\003 (+24) \003\061\060\003\003 # N/"..., length=1) at packet.c:138
#4 0x0805cc45 in read_packet (cptr=0x988e210, doread=28011) at s_bsd.c:1595
#5 0x0805f36b in read_message (delay=1, listp=0x8191b20) at s_bsd.c:2142
#6 0x0806a368 in main (argc=<value optimized out>, argv=0xbfbdaf24) at ircd.c:1867

#0 0xb71d3c49 in decode_puid (puid=0x988e315 "virgule.cluenet.org") at m_sasl.c:123
123 if (cookie && client->sasl_cookie != cookie)

0x81971e0 <backupbuf>: ":SaslServ SY virgule.cluenet.org virgule.cluenet.org!13.28011 C + "

#0 0xb71d3c49 in decode_puid (puid=0x988e315 "virgule.cluenet.org") at m_sasl.c:123
        client = 0x0
        it = <value optimized out>
        cookie = 28011
#1 0xb71d3f18 in m_sasl (cptr=0x988e210, sptr=0x9b8ab70, parc=5, parv=0x817b660) at m_sasl.c:210
        target_p = <value optimized out>
#2 0x0806fce5 in parse (cptr=0x988e210, buffer=0x988e2f4 ":SaslServ SY", bufend=0x988e336 "") at parse.c:451
        h = <value optimized out>
        buf_len = 0
        from = 0x9b8ab70
        ch = <value optimized out>
        s = <value optimized out>
        i = <value optimized out>
        numeric = 0
        paramcount = -1219653952
        cmptr = 0x98a2f38
GCC: gcc version 4.4.5 (Debian 4.4.5-8)
UNAME: Linux virgule.cluenet.org 3.8.4-linode50 #1 SMP Mon Mar 25 15:50:29 EDT 2013 i686 GNU/Linux
UNREAL: Unreal3.2.10-rc1 build 3.2.10
CORE: -rw------- 1 cluenet-irc cluenet-irc 7438336 Jun 1 19:07 core
=================== STOP HERE ======================

Stealth

2013-06-06 01:02

reporter   ~0017704

Seems you were running Unreal 3.2.10-RC1. Does this same crash happen on 3.2.10.1?

syzop

2014-01-12 10:41

administrator   ~0017876

I've added this fix http://hg.unrealircd.com/hg/unreal/rev/a3d24860fff3 but I did not / could not verify if this fixes your issue. It fixes this particular crash, but given the slightly crappy sasl code I suppose it can crash a number of lines later.

syzop

2014-01-12 10:42

administrator   ~0017877

I'll mark it as resolved. If you still have crash issues, I'd appreciate it if you could re-open or create a new bug report.

Issue History

Date Modified Username Field Change
2013-06-01 18:21 grawity New Issue
2013-06-01 18:27 grawity Note Added: 0017700
2013-06-03 13:25 syzop Note Added: 0017701
2013-06-03 13:26 syzop Summary Crash in parse.c => SASL crash (caused by remote server)
2013-06-03 14:15 grawity Note Added: 0017703
2013-06-06 01:02 Stealth Note Added: 0017704
2014-01-12 10:41 syzop Note Added: 0017876
2014-01-12 10:42 syzop Note Added: 0017877
2014-01-12 10:42 syzop Status new => resolved
2014-01-12 10:42 syzop Fixed in Version => 3.2.10.3
2014-01-12 10:42 syzop Resolution open => fixed
2014-01-12 10:42 syzop Assigned To => syzop
2014-03-14 01:14 peterkingalexander Issue cloned: 0004270