nnrpd/expireover/whatever bug (not sure where) preview
Bernd Jendrissek
berndj at prism.co.za
Tue Oct 22 18:12:33 UTC 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Oct 18, 2002 at 08:14:47AM -0400, Jeffrey M. Vinocur wrote:
> On Fri, 18 Oct 2002, Bernd Jendrissek wrote:
> > [I'd greatly appreciate Cc'ed replies.]
> > The interesting thing is that INN sends back *some* overview, but then just
> > stops. The last line is overview, not the ".\r\n" terminator. And yet
> > nnrpd (or is it innd?) accepts other commands, "quit" at least.
>
> That we've seen before, but I forget what it is -- something that silently
> eats the error.
I've been working on it a little (patch and log below) and it seems OVINDEX
*Gib contains corrupt data.
> > So yesterday I got fed up and attached gdb to nnrpd. Lo and behold, it
> > seems like somebody's trying to write almost a gigabyte in one SendIOv()
> > call. Oops.
>
> Can you add a call to abort(3) right after you log the "whoops" and then
> have a look in the core dump at a backtrace?
I've put the abort(3) in, but haven't had much opportunity to goof off^W^W
do some testing. Okay, did now. Got a backtrace in gdb and it seems that
CMDxover calls SendIOv with a bad p param; p comes from local var data,
which is supposed to be filled in by OVsearch.
It seems my expireover crash and the nnrpd weirdness have the same cause:
OVsearch sometimes does not define its *data by-reference parameter, and
somehow it's all due to bad data in Gib.
> > I suppose expireover will just stop segfaulting as well.
>
> That's weird, but hopefully we'll find a problem with overview.
Hasn't stopped segfaulting yet... Even though I've rebuilt overview once or
twice since then.
diff -ur inn-2.3.3/storage/buffindexed/buffindexed.c inn-2.3.3-bernd/storage/buf
findexed/buffindexed.c
- --- inn-2.3.3/storage/buffindexed/buffindexed.c Tue Jul 2 11:45:21 2002
+++ inn-2.3.3-bernd/storage/buffindexed/buffindexed.c Tue Oct 22 17:40:11 2002
@@ -1691,8 +1691,10 @@
} else {
if (artnum)
*artnum = Gib[search->cur].artnum;
- - if (len)
+ if (len) {
*len = Gib[search->cur].len;
+ syslog(L_TRACE, "*len = %d\n", len ? *len : -1);
+ }
if (arrived)
*arrived = Gib[search->cur].arrived;
if (expires)
[news at penguin /etc/news]$ expireover -z/var/log/news/expire.rm
Segmentation fault (core dumped)
[news at penguin /etc/news]$ tail -f /var/log/news/news.debug
Oct 22 18:27:57 penguin expireover[25263]: *len = 196
Oct 22 18:27:57 penguin expireover[25263]: *len = 203
Oct 22 18:27:57 penguin expireover[25263]: *len = 195
Oct 22 18:27:57 penguin expireover[25263]: *len = 203
Oct 22 18:27:57 penguin expireover[25263]: *len = 199
Oct 22 18:27:57 penguin expireover[25263]: *len = 206
Oct 22 18:27:57 penguin expireover[25263]: *len = 195
Oct 22 18:27:58 penguin expireover[25263]: *len = 203
Oct 22 18:27:58 penguin expireover[25263]: *len = 196
Oct 22 18:27:58 penguin expireover[25263]: *len = 1768191329
Ouch!
More later
bernd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9tZUB/FmLrNfLpjMRAl6vAJ46Z9I3CwaU6O03vkLntm9D74ASJACeNF+S
sbePURFu8TrzGsJIK5K+KH4=
=k01R
-----END PGP SIGNATURE-----
More information about the inn-bugs
mailing list