Bad access to IP address in memory

Julien ÉLIE julien at trigofacile.com
Sat Jul 5 08:31:06 UTC 2008 

Hi Russ,

>>    case CTnntp:
>>        snprintf(cp->Name, sizeof(cp->Name), "%s:%d",
>>                 cp->Address.ss_family == 0 ? "localhost" : RChostname(cp),
>>                 cp->fd);
>>        break;
>>
>> I wonder if something similar is needed in status, although the results
>> you see still don't look like printing out zeroed memory.

I believe this bug comes from network_sockaddr_sprint because it does not
handle a 0 family value:


bool
network_sockaddr_sprint(char *dst, size_t size, const struct sockaddr *addr)
{
#ifdef HAVE_INET6
    if (addr->sa_family == AF_INET6) {
        [...]
    }
#endif
    if (addr->sa_family == AF_INET) {
        [...]
    } else {
        errno = EAFNOSUPPORT;
        return false;
    }
}


I suggest this patch:

===================================================================
--- lib/network.c       (révision 7873)
+++ lib/network.c       (copie de travail)
@@ -595,6 +595,10 @@
         sin = (const struct sockaddr_in *) addr;
         result = inet_ntop(AF_INET, &sin->sin_addr, dst, size);
         return (result != NULL);
+    } else if (addr->sa_family == 0) {
+        /* Connections from lc.c. */
+        memset(dst, 0, size);
+        return true;
     } else {
         errno = EAFNOSUPPORT;
         return false;



With it, the display is now fine.
I also tried to write '-' to dst and it also looks fine (IPv6 max length):

localhost
    seconds: 280            duplicates: 0           ip address: ----------------------------------------------



This value does not seem to change afterwards.
And it explains why the value kept being modified:  network_sockaddr_sprint is
invoked each time the status is printed.  As it does nothing for localhost
except "errno = EAFNOSUPPORT", the contents of "dst" is always different
(an uninitialized part of previously freed memory).


>>    valgrind --trace-children=yes --track-fds=yes --log-file=inn-valgrind /home/news/bin/innd
>
> I'm not sure.  When I've done this before, I don't recall having any
> special trouble.

10:23 news at news % valgrind --trace-children=yes --track-fds=yes --log-file=inn-valgrind /home/news/bin/innd
[nothing happens]

Jul  5 10:23:33 news innd: cannot exec innbind for 0.0.0.0,119: Permission denied
Jul  5 10:23:35 news innd: innbind returned no output, assuming failure
Jul  5 10:23:35 news innd: innbind failed for 0.0.0.0,119
Jul  5 10:23:35 news innd: cannot exec innbind for ::,119: Permission denied
Jul  5 10:23:37 news innd: innbind returned no output, assuming failure
Jul  5 10:23:37 news innd: innbind failed for ::,119
Jul  5 10:23:37 news innd: SERVER cant listen on any sockets


The same being root:

10:23 root at news # valgrind --trace-children=yes --track-fds=yes --log-file=inn-valgrind /home/news/bin/innd
valgrind: /home/news/bin/innd: Permission denied


With rc.news, it is the same.
innbind may not be happy being launched inside valgrind (?)

-- 
Julien ÉLIE

« Tous les matins, j'apporte à ma femme le café au lit.
  Elle n'a plus qu'à le moudre. » (Coluche)

More information about the inn-workers mailing list