expireover segfaults
Alex Kiernan
alexk at demon.net
Wed Jul 3 12:50:06 UTC 2002
Bernd Jendrissek <berndj at prism.co.za> writes:
> [Cc'ed replies would be appreciated; I'm not on the list but I do read
> news.software.nntp - feel free to mail2news this there (I can't post)]
>
> Every night at 4:02, crond runs "/usr/bin/news.daily delayrm expireover".
> About a minute after that expireover segfaults and I find a notice in my
> mailbox.
>
> I have now patched up to INN 2.3.3, but the problem persists. Here's the
> data, please ask for more if needed.
>
> gdb /usr/bin/expireover core:
>
> (gdb) bt
> #0 0x40023085 in OVERGetHeader (
> p=0x28407f8a <Address 0x28407f8a out of bounds>, field=3) at ov.c:970
> #1 0x40023998 in OVhisthasmsgid () at ov.c:1050
> #2 0x400323bf in buffindexed_expiregroup () at buffindexed.c:1751
> #3 0x40021c43 in OVexpiregroup () at ov.c:316
> #4 0x804924a in main (argc=2, argv=0xbffffd54) at expireover.c:165
> (gdb) list
> 965 char *next, *q;
> 966
> 967 fp = &ARTfields[field];
> 968
> 969 /* Skip leading headers. */
> 970 for (; field-- >= 0 && *p; p++)
> 971 if ((p = strchr(p, '\t')) == NULL)
> 972 return NULL;
> 973 if (*p == '\0')
> 974 return NULL;
>
At a guess, you've an overview record which is missing a field (can
you manage to capture p on entry to the function before its tried
walking the list?); innd sometimes seems to do this sometimes, I've an
article which generates this behaviour reliably, I just haven't had
time to debug it yet.
The code in question isn't very robust, p isn't necessarily null
terminated, so the strchr wanders off the end happily.
I fixed this up in nnrpd for -current; didn't realise it was copied
into two places though :(
--
Alex Kiernan, Principal Engineer, Development, THUS plc
More information about the inn-bugs
mailing list