[Olsr-dev] OLSRv2 Segfault

[Vigneswaran R]

On 12/28/2013 12:17 AM, Henning Rogge wrote:
> Hi,
>
> thank you for the bugreport, I would like to dig a little bit deeper
> into this problem (maybe writing an automatic test-case afterwards).
>
> Can you post the whole stacktrace from GDB first? That would allow to
> identify if the error happens during the creation of a Hello or a TC.

Please find the GDB log attached. Thanks.

vignesh

> Henning Rogge
>
> On Fri, Dec 27, 2013 at 11:10 AM, Vigneswaran R <(spam-protected)> wrote:
>> Hello,
>>
>> I am running olsrd2 on a few (qemu) virtual machines. On one of the virtual
>> machines, olsrd2 segfaults within a few seconds. I am invoking OLSRd2 in the
>> following manner,
>>
>>      ./olsrd2 --set interface[eth0].bindto=10.0.0.0/8 --set
>> interface[eth1].bindto=10.0.0.0/8 --set interface[eth2].bindto=10.0.0.0/8
>>
>> Traced the error using gdb to some extent. Please see the following patch
>> for context.
>>
>> In general, addr_start->_block_end becomes NULL just before exiting from the
>> do..while loop. However, in some cases, addr_start->_block_end becomes NULL
>> before the do..while loop meeting the exit criteria (addr_end == last_addr).
>> So, the loop continues and trying to de-reference NULL pointer causing
>> segfault.
>>
>> --- a/oonf_api/src-api/rfc5444/rfc5444_msg_generator.c    2013-12-19
>> 18:27:48.471467295 +0530
>> +++ b/oonf_api/src-api/rfc5444/rfc5444_msg_generator.c    2013-12-27
>> 14:15:14.000000000 +0530
>> @@ -1180,7 +1180,7 @@
>>       tlvblock_length[0] = (ptr - tlvblock_length - 2) >> 8;
>>       tlvblock_length[1] = (ptr - tlvblock_length - 2) & 255;
>>       addr_start = list_next_element(addr_end, _addr_node);
>> -  } while (addr_end != last_addr);
>> +  } while (addr_end != last_addr && addr_start->_block_end != NULL);
>>
>>     /* store size of address(tlv) data */
>>     msg->_bin_addr_size = ptr - start;
>>
>>
>> I am using the latest oonf_api (last commit:
>> 2355db6a460abe10cc7096842b3b10686c68012c) and olsrd2 (last commit:
>> 23051120419372a175ddb08fa8a3bb8d7d709f1e) repositories.
>>
>> The Interface details are,
>>
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>      inet 127.0.0.1/8 scope host lo
>>      inet6 ::1/128 scope host
>>         valid_lft forever preferred_lft forever
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
>> UP qlen 1000
>>      link/ether de:ad:be:ef:5a:38 brd ff:ff:ff:ff:ff:ff
>>      inet 10.5.11.1/8 brd 10.255.255.255 scope global eth0
>>      inet6 fe80::dcad:beff:feef:5a38/64 scope link
>>         valid_lft forever preferred_lft forever
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
>> UP qlen 1000
>>      link/ether de:ad:be:ef:0d:2f brd ff:ff:ff:ff:ff:ff
>>      inet 10.5.11.2/8 brd 10.255.255.255 scope global eth1
>>      inet6 fe80::dcad:beff:feef:d2f/64 scope link
>>         valid_lft forever preferred_lft forever
>> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
>> UP qlen 1000
>>      link/ether de:ad:be:ef:5a:39 brd ff:ff:ff:ff:ff:ff
>>      inet 10.5.11.3/8 brd 10.255.255.255 scope global eth2
>>      inet6 fe80::dcad:beff:feef:5a39/64 scope link
>>         valid_lft forever preferred_lft forever
>>
>>
>> Regards,
>> Vignesh
>>
>> --
>> Olsr-dev mailing list
>> (spam-protected)
>> https://lists.olsr.org/mailman/listinfo/olsr-dev

-------------- next part --------------
Starting program: /root/olsrd2 --set interface\[eth0\].bindto=10.0.0.0/8 --set interface\[eth1\].bindto=10.0.0.0/8 --set interface\[eth2\].bindto=10.0.0.0/8
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0807ec6a in _write_addresses (writer=0x80c1b58, msg=0x80be9f0, 
    first_addr=0x80c7bc8, last_addr=0x80c7988)
    at /root/oonf_api/src-api/rfc5444/rfc5444_msg_generator.c:1119
1119	/root/oonf_api/src-api/rfc5444/rfc5444_msg_generator.c: No such file or directory.
	in /root/oonf_api/src-api/rfc5444/rfc5444_msg_generator.c
Missing separate debuginfos, use: debuginfo-install glibc-2.14.90-24.fc16.6.i686 libnl3-3.2.7-1.fc16.i686
#0  0x0807ec6a in _write_addresses (writer=0x80c1b58, msg=0x80be9f0, 
    first_addr=0x80c7bc8, last_addr=0x80c7988)
    at /root/oonf_api/src-api/rfc5444/rfc5444_msg_generator.c:1119
#1  0x0807f1fa in _finalize_message_fragment (writer=0x80c1b58, msg=0x80be9f0, 
    first=0x80c7bc8, last=0x80c7988, not_fragmented=true, 
    useIf=0x807d8ed <rfc5444_writer_singletarget_selector>, param=0x80d0208)
    at /root/oonf_api/src-api/rfc5444/rfc5444_msg_generator.c:1271
#2  0x0807d8c2 in rfc5444_writer_create_message (writer=0x80c1b58, 
    msgid=0 '\000', useIf=0x807d8ed <rfc5444_writer_singletarget_selector>, 
    param=0x80d0208)
    at /root/oonf_api/src-api/rfc5444/rfc5444_msg_generator.c:344
#3  0x0807d091 in rfc5444_writer_create_message (writer=0x80c1b58, 
    msgid=0 '\000', useIf=0x806f9ec <_cb_single_target_selector>, 
    param=0x80d0208)
    at /root/oonf_api/src-api/rfc5444/rfc5444_msg_generator.c:138
#4  0x0806e1e5 in oonf_rfc5444_send_if (target=0x80d0208, msgid=0 '\000')
    at /root/oonf_api/src-api/subsystems/oonf_rfc5444.c:354
#5  0x08059a06 in nhdp_writer_send_hello (ninterf=0x80be148)
    at /root/olsrd2/src/nhdp/nhdp_writer.c:168
#6  0x08056fa2 in _cb_generate_hello (ptr=0x80be148)
    at /root/olsrd2/src/nhdp/nhdp_interfaces.c:419
#7  0x08073fd3 in oonf_timer_walk ()
    at /root/oonf_api/src-api/subsystems/oonf_timer.c:282
#8  0x0807045e in oonf_socket_handle (
    stop_scheduler=0x8050b67 <_cb_stop_scheduler>, 
    stop_time=18446744073709551615)
    at /root/oonf_api/src-api/subsystems/oonf_socket.c:160
#9  0x080509ad in mainloop (argc=7, argv=0xbffff664)
    at /root/olsrd2/src/oonf_main.c:403
#10 0x0805066f in main (argc=7, argv=0xbffff664)
    at /root/olsrd2/src/oonf_main.c:311
A debugging session is active.

	Inferior 1 [process 25038] will be killed.

Quit anyway? (y or n)