nnrpd/expireover/whatever bug (not sure where) preview

Bernd Jendrissek berndj at prism.co.za
Tue Oct 22 18:12:33 UTC 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Oct 18, 2002 at 08:14:47AM -0400, Jeffrey M. Vinocur wrote:
> On Fri, 18 Oct 2002, Bernd Jendrissek wrote:

> > [I'd greatly appreciate Cc'ed replies.]


> > The interesting thing is that INN sends back *some* overview, but then just
> > stops.  The last line is overview, not the ".\r\n" terminator.  And yet
> > nnrpd (or is it innd?) accepts other commands, "quit" at least.
> 
> That we've seen before, but I forget what it is -- something that silently 
> eats the error.

I've been working on it a little (patch and log below) and it seems OVINDEX
*Gib contains corrupt data.

> > So yesterday I got fed up and attached gdb to nnrpd.  Lo and behold, it
> > seems like somebody's trying to write almost a gigabyte in one SendIOv()
> > call.  Oops.
> 
> Can you add a call to abort(3) right after you log the "whoops" and then
> have a look in the core dump at a backtrace?

I've put the abort(3) in, but haven't had much opportunity to goof off^W^W
do some testing.  Okay, did now.  Got a backtrace in gdb and it seems that
CMDxover calls SendIOv with a bad p param; p comes from local var data,
which is supposed to be filled in by OVsearch.

It seems my expireover crash and the nnrpd weirdness have the same cause:
OVsearch sometimes does not define its *data by-reference parameter, and
somehow it's all due to bad data in Gib.

> > I suppose expireover will just stop segfaulting as well.
> 
> That's weird, but hopefully we'll find a problem with overview.

Hasn't stopped segfaulting yet...  Even though I've rebuilt overview once or
twice since then.

diff -ur inn-2.3.3/storage/buffindexed/buffindexed.c inn-2.3.3-bernd/storage/buf
findexed/buffindexed.c
- --- inn-2.3.3/storage/buffindexed/buffindexed.c Tue Jul  2 11:45:21 2002
+++ inn-2.3.3-bernd/storage/buffindexed/buffindexed.c   Tue Oct 22 17:40:11 2002
@@ -1691,8 +1691,10 @@
     } else {
       if (artnum)
        *artnum = Gib[search->cur].artnum;
- -      if (len)
+      if (len) {
        *len = Gib[search->cur].len;
+       syslog(L_TRACE, "*len = %d\n", len ? *len : -1);
+      }
       if (arrived)
        *arrived = Gib[search->cur].arrived;
       if (expires)

[news at penguin /etc/news]$ expireover -z/var/log/news/expire.rm
Segmentation fault (core dumped)
[news at penguin /etc/news]$ tail -f /var/log/news/news.debug
Oct 22 18:27:57 penguin expireover[25263]: *len = 196
Oct 22 18:27:57 penguin expireover[25263]: *len = 203
Oct 22 18:27:57 penguin expireover[25263]: *len = 195
Oct 22 18:27:57 penguin expireover[25263]: *len = 203
Oct 22 18:27:57 penguin expireover[25263]: *len = 199
Oct 22 18:27:57 penguin expireover[25263]: *len = 206
Oct 22 18:27:57 penguin expireover[25263]: *len = 195
Oct 22 18:27:58 penguin expireover[25263]: *len = 203
Oct 22 18:27:58 penguin expireover[25263]: *len = 196
Oct 22 18:27:58 penguin expireover[25263]: *len = 1768191329

Ouch!

More later

bernd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9tZUB/FmLrNfLpjMRAl6vAJ46Z9I3CwaU6O03vkLntm9D74ASJACeNF+S
sbePURFu8TrzGsJIK5K+KH4=
=k01R
-----END PGP SIGNATURE-----


More information about the inn-bugs mailing list