innfeed segfaults on NULL buffer in getBanner()

Russ Allbery rra at stanford.edu
Sat Feb 10 17:49:26 EST 2007 

Phil Pennock <isc-inn-workers+phil at spodhuis.org> writes:

> I've checked archives and not seen anything about this.  I'm using
> FreeBSD 6.1 on amd64, inn-2.4.3 and problem also present in
> stable-20061024; gdb stack traces (with debugging information present)
> and variable examinations below.

> This is my first innd setup, so I fully accept that there may be a
> misconfiguration somewhere; however, an innfeed coredump on attempting
> to dereference a NULL pointer is why I'm posting to a workers list
> anyway.

It looks like this never got a response, and I'm afraid that it mystifies
me as well.  If you ever managed to figure it out, I'm curious what the
outcome was.

> innfeed crashes on startup after connecting to the one current feed.
> tcpdump confirms that the connection is made and the banner presented.
> So I'm seeing coredumps every couple of seconds.

> ----------------------------8< cut here >8------------------------------
> #0  0x000000000040580c in bufferBase (buff=0x0) at buffer.c:230
> 230       return buff->mem ;
> (gdb) bt
> #0  0x000000000040580c in bufferBase (buff=0x0) at buffer.c:230
> #1  0x0000000000421d8c in getBanner (e=0x577700, i=IoDone, b=0x56a900,
>     d=0x577500) at connection.c:1392
> #2  0x000000000040c262 in Run () at endpoint.c:752
> #3  0x000000000041a7cf in main (argc=0, argv=0x7fffffffeda8) at main.c:478
> (gdb) frame 1
> #1  0x0000000000421d8c in getBanner (e=0x577700, i=IoDone, b=0x56a900,
>     d=0x577500) at connection.c:1392
> 1392      char *p = bufferBase (b[0]) ;
> (gdb) print *cxn
> $1 = {myHost = 0x576200, myEp = 0x577700, ident = 0, state = cxnConnectingS,
>   checkHead = 0x0, checkRespHead = 0x0, takeHead = 0x0, takeRespHead = 0x0,
>   articleQTotal = 0, missing = 0x0, respBuffer = 0x578048,
>   ipName = 0x56d320 "news0.firedrake.org", maxCheck = 1, port = 119,
>   articleReceiptTimeout = 600, artReceiptTimerId = 0, readTimeout = 300,
>   readBlockedTimerId = 4, writeTimeout = 300, writeBlockedTimerId = 0,
>   flushTimeout = 89366, flushTimerId = 5, sleepTimeout = 30, sleepTimerId = 0,
>   loggedNoCr = false, immedRecon = false, doesStreaming = false,
>   authenticated = false, quitWasIssued = false, needsChecks = true,
>   timeCon = 0, artsTaken = 0, checksIssued = 0, checksRefused = 0,
>   takesRejected = 0, takesOkayed = 0, takesSizeRejected = 0,
>   takesSizeOkayed = 0, onThreshold = 47.5, offThreshold = 45, filterValue = 0,
>   lowPassFilter = 50, next = 0x0}
> (gdb) p b
> $2 = (Buffer *) 0x56a900
> (gdb) p *b
> $3 = 0x0
> (gdb) p *(struct buffer_s*)b
> $4 = {refCount = 0, mem = 0x0, memSize = 0, dataSize = 0, deletable = false,
>   bufferDeletedCbk = 0, bufferDeletedCbkData = 0x0, next = 0x0, prev = 0x0}
> (gdb)

What this means is that the buffer list passed to the getBanner callback
is bogus.  The first item in the Buffer list is NULL, so it's an empty
buffer list, which getBanner is not expecting.  getBanner is only prepared
in a couple of places, and I don't see how either of them could possibly
generate a buffer list that looks like this (in fact, attempting to do so
should cause an assertion failure).

So, unfortunately, no clue what could be causing this.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.

More information about the inn-workers mailing list