innfeed segfaults on NULL buffer in getBanner()

Phil Pennock isc-inn-workers+phil at spodhuis.org
Wed Nov 8 21:22:13 UTC 2006 

Hi,

I've checked archives and not seen anything about this.  I'm using
FreeBSD 6.1 on amd64, inn-2.4.3 and problem also present in
stable-20061024; gdb stack traces (with debugging information present)
and variable examinations below.

This is my first innd setup, so I fully accept that there may be a
misconfiguration somewhere; however, an innfeed coredump on attempting
to dereference a NULL pointer is why I'm posting to a workers list
anyway.

innfeed crashes on startup after connecting to the one current feed.
tcpdump confirms that the connection is made and the banner presented.
So I'm seeing coredumps every couple of seconds.

There are no articles to present, as there have been no posts to a
shared newsgroup yet.

If I post an article to alt.test, then innfeed is briefly stable, for 30
seconds, and logs that something happened, but my peer doesn't carry
alt.test, so it won't be accepted.  Sorry, trying to find a test group
on a public network which my peer carries.  ;^)

Is it likely that I'm doing something very silly?  Any debugging I can
do?  No secret passwords are present, I'm willing to provide innfeed and
coredump for further analysis.

Thanks,
-Phil

Normal logging reports:
----------------------------8< cut here >8------------------------------
Nov  8 21:07:34 <news.warn> redoubt innd: innfeed! spawned innfeed!:29:proc:752
Nov  8 21:07:34 <news.warn> redoubt innd: innfeed! restarted
Nov  8 21:07:34 <news.notice> redoubt innfeed[752]: ME starting innfeed 2.4.4 (20061024 snapshot) at Wed Nov  8 21:07:34 2006
Nov  8 21:07:34 <news.notice> redoubt innfeed[752]: loading /usr/local/news/etc/innfeed.conf
Nov  8 21:07:37 <news.warn> redoubt innd: innfeed! exit 0 elapsed 0 pid 752
Nov  8 21:07:37 <news.warn> redoubt innd: innfeed!:29:proc:752 closed
----------------------------8< cut here >8------------------------------

When it remained briefly stable:
----------------------------8< cut here >8------------------------------
Nov  8 21:10:19 <news.warn> redoubt innd: innfeed! spawned innfeed!:29:proc:1006
Nov  8 21:10:19 <news.warn> redoubt innd: innfeed! restarted
Nov  8 21:10:19 <news.notice> redoubt innfeed[1006]: ME starting innfeed 2.4.4 (20061024 snapshot) at Wed Nov  8 21:10:19 2006
Nov  8 21:10:19 <news.notice> redoubt innfeed[1006]: loading /usr/local/news/etc/innfeed.conf
Nov  8 21:10:21 <news.warn> redoubt innfeed[1006]: firedrake:0 cxnsleep prepare read failed
Nov  8 21:10:21 <news.notice> redoubt innfeed[1006]: firedrake spooling no active connections
Nov  8 21:10:51 <news.warn> redoubt innd: innfeed! exit 0 elapsed 35 pid 1006
Nov  8 21:10:51 <news.warn> redoubt innd: innfeed!:29:proc:1006 closed
----------------------------8< cut here >8------------------------------

----------------------------8< cut here >8------------------------------
#0  0x000000000040580c in bufferBase (buff=0x0) at buffer.c:230
230       return buff->mem ;
(gdb) bt
#0  0x000000000040580c in bufferBase (buff=0x0) at buffer.c:230
#1  0x0000000000421d8c in getBanner (e=0x577700, i=IoDone, b=0x56a900,
    d=0x577500) at connection.c:1392
#2  0x000000000040c262 in Run () at endpoint.c:752
#3  0x000000000041a7cf in main (argc=0, argv=0x7fffffffeda8) at main.c:478
(gdb) frame 1
#1  0x0000000000421d8c in getBanner (e=0x577700, i=IoDone, b=0x56a900,
    d=0x577500) at connection.c:1392
1392      char *p = bufferBase (b[0]) ;
(gdb) print *cxn
$1 = {myHost = 0x576200, myEp = 0x577700, ident = 0, state = cxnConnectingS,
  checkHead = 0x0, checkRespHead = 0x0, takeHead = 0x0, takeRespHead = 0x0,
  articleQTotal = 0, missing = 0x0, respBuffer = 0x578048,
  ipName = 0x56d320 "news0.firedrake.org", maxCheck = 1, port = 119,
  articleReceiptTimeout = 600, artReceiptTimerId = 0, readTimeout = 300,
  readBlockedTimerId = 4, writeTimeout = 300, writeBlockedTimerId = 0,
  flushTimeout = 89366, flushTimerId = 5, sleepTimeout = 30, sleepTimerId = 0,
  loggedNoCr = false, immedRecon = false, doesStreaming = false,
  authenticated = false, quitWasIssued = false, needsChecks = true,
  timeCon = 0, artsTaken = 0, checksIssued = 0, checksRefused = 0,
  takesRejected = 0, takesOkayed = 0, takesSizeRejected = 0,
  takesSizeOkayed = 0, onThreshold = 47.5, offThreshold = 45, filterValue = 0,
  lowPassFilter = 50, next = 0x0}
(gdb) p b
$2 = (Buffer *) 0x56a900
(gdb) p *b
$3 = 0x0
(gdb) p *(struct buffer_s*)b
$4 = {refCount = 0, mem = 0x0, memSize = 0, dataSize = 0, deletable = false,
  bufferDeletedCbk = 0, bufferDeletedCbkData = 0x0, next = 0x0, prev = 0x0}
(gdb)
----------------------------8< cut here >8------------------------------

-Phil

More information about the inn-workers mailing list