#202 Seg fault at arrival of unsetted avp flag
Using Seagull tool as client to perform testing on a opendiameter server, if the Mandatory flag for Origin-Host AVP is changed from "Set" to "Unset" (0x40 to 0x0) inside the Seagull dictionary file, the server crashes with this message:
> M-flag must be set
> Error in AVP Origin-Host.
> Parse error*** glibc detected *** /home/pcastro/ChargingDiameter/cplusplus/libdiameter/aaa_test_server3: free(): invalid pointer: 0x08c17438 ***
the problem maybe in libdiamparser/src/aaa_parser_q_avplist.cxx ... around line 389. It throws an exception that may never get captured.
Backtrace:
>
> [pcastro@box Accounting]$ gdb ./aaa_test_server3
> GNU gdb Red Hat Linux (6.5-16.el5rh)
> Copyright (C) 2006 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1".
>
> (gdb) run
> Starting program: /home/pcastro/ChargingDiameter/cplusplus/libdiameter/aaa_test_server3
> [Thread debugging using libthread_db enabled]
> [New Thread -1208793392 (LWP 30913)]
> [New Thread -1208796272 (LWP 30916)]
> [New Thread -1219286128 (LWP 30917)]
> [New Thread -1229775984 (LWP 30918)]
> [New Thread -1240265840 (LWP 30919)]
> [New Thread -1250755696 (LWP 30920)]
> [New Thread -1261245552 (LWP 30921)]
> (30913|3086173904) Starting diameter core
> [New Thread -1271735408 (LWP 30922)]
> (30913|3086173904) Product : Open Diameter
> (30913|3086173904) Version : 1
> (30913|3086173904) Vendor Id : 0
> (30913|3086173904) Supported Vendor : 0
> (30913|3086173904) Supported Vendor : 1
> (30913|3086173904) Auth Application : 1
> (30913|3086173904) Auth Application : 2
> (30913|3086173904) Auth Application : 4
> (30913|3086173904) Auth Application : 10000
> (30913|3086173904) Acct Application : 3
> (30913|3086173904) Acct Application : 4
> (30913|3086173904) Acct Application : 20000
> (30913|3086173904) Vendor Specific Id : (30913|3086173904) Vendor=31, Auth=1
> (30913|3086173904) Vendor Specific Id : (30913|3086173904) Vendor=41, Acct=6
> (30913|3086173904) Dictionary : ./config/dictionary.xml
> (30913|3086173904) Identity : box
> (30913|3086173904) Realm : box
> (30913|3086173904) TCP Listen : 3868
> (30913|3086173904) SCTP Listen : 1813
> (30913|3086173904) Watch-Dog timeout : 4
> (30913|3086173904) Use IPv6 : 0
> (30913|3086173904) Re-transmission Int : 8
> (30913|3086173904) Max Re-trans Int : 3
> (30913|3086173904) Recv Buffer Size : 2048
> (30913|3086173904) Dumping Peer Table
> (30913|3086173904) Expire Time 1
> (30913|3086173904) Peer : Host = isabelita, Port = 3868, TLS = 0
> (30913|3086173904) Dumping Route Table
> (30913|3086173904) Exp Time : 0
> (30913|3086173904) Route : Realm = oveja.org, Action = 0, Redirect-Usage = 0
> (30913|3086173904) Application Id=3, Vendor=0
> (30913|3086173904) Server = isabelita, metric = 2
> (30913|3086173904) Application Id=4, Vendor=0
> (30913|3086173904) Server = isabelita, metric = 2
> (30913|3086173904) Application Id=20000, Vendor=0
> (30913|3086173904) Server = isabelita, metric = 2
> (30913|3086173904) Default Route
> (30913|3086173904) Route : Realm = isabelita, Action = 0, Redirect-Usage = 0
> (30913|3086173904) Application Id=4, Vendor=0
> (30913|3086173904) Server = isabelita, metric = 4
> (30913|3086173904) Max Sess : 10000
> (30913|3086173904) Auth Stateful Auth : stateful
> (30913|3086173904) Auth Session(T) : 500
> (30913|3086173904) Auth Lifetime(T) : 500
> (30913|3086173904) Auth Grace(T) : 30
> (30913|3086173904) Auth Abort(T) : 20
> (30913|3086173904) Acct Session(T) : 100
> (30913|3086173904) Acct Interim Int : 5
> (30913|3086173904) Acct Real-Time : 1
> (30913|3086173904) Debug Log : enabled
> (30913|3086173904) Trace Log : enabled
> (30913|3086173904) Info Log : enabled
> (30913|3086173904) Console Log : enabled
> (30913|3086173904) Syslog Log : enabled
> Vendor [id = "61"]
> Vendor [name = "Merit Networks"]
> Vendor [id = "42"]
> Vendor [name = "Sun Microsystems, Inc."]
> Vendor [id = "429"]
> Vendor [name = "US Robotics Corp."]
> Base [uri = "ftp://ftp.ietf.org/internet-drafts/draft-ietf-aaa-diameter-08.txt"]
> Base [uri = "ftp://ftp.ietf.org/internet-drafts/draft-ietf-aaa-diameter-08.txt"]
> (30913|3086173904) TCP Acceptor Listening at 3868, binding to box
> [New Thread -1283458160 (LWP 30923)]
> (30913|3086173904) SCTP Acceptor Listening at 1813, binding to
> (30913|3011509136) Waiting for incomming connection ...
> [New Thread -1293948016 (LWP 30924)]
> (30913|3086173904) Trying to connect to to isabelita:3868
> (30913|3001019280) Waiting for incomming connection ...
> [New Thread -1304437872 (LWP 30925)]
> (30913|2990529424) Checking if connection attempt succeeded ...
> Just wait here and let factory take care of new sessions
> (30913|2990529424) Async Transport Setup Reports: Connection refused
> (30913|2990529424) IO Factory error: Connector [111=Connection refused]
> [Thread -1304437872 (LWP 30925) exited]
> [New Thread -1314927728 (LWP 30926)]
> (30913|3011509136) Waiting for incomming connection ...
> M-flag must be set
> Error in AVP Origin-Host.
> Parse error*** glibc detected *** /home/pcastro/ChargingDiameter/cplusplus/libdiameter/aaa_test_server3: free(): invalid pointer: 0x08c17438 ***
> ======= Backtrace: =========
> /lib/libc.so.6[0x166f7d]
> /lib/libc.so.6(cfree+0x90)[0x16a5d0]
> /usr/lib/libstdc++.so.6(_ZdlPv+0x21)[0x72c5ef1]
> /usr/lib/libACE.so.5.5.1(_ZN17ACE_Message_BlockD0Ev+0x58)[0x4604c8]
> /usr/lib/libACE.so.5.5.1(_ZN17ACE_Message_Block9release_iEP8ACE_Lock+0xb2)[0x4603d2]
> /usr/lib/libACE.so.5.5.1(_ZN17ACE_Message_Block7releaseEv+0xac)[0x461dcc]
> /home/pcastro/ChargingDiameter/Diameter/Accounting/aaa_test_server3[0x8072dfc]
> /home/pcastro/ChargingDiameter/Diameter/Accounting/aaa_test_server3[0x8088145]
> /home/pcastro/ChargingDiameter/Diameter/Accounting/aaa_test_server3[0x806082e]
> /usr/lib/libACE.so.5.5.1(_ZN13ACE_Task_Base7svc_runEPv+0x56)[0x49e1c6]
> /usr/lib/libACE.so.5.5.1(_ZN18ACE_Thread_Adapter8invoke_iEv+0x58)[0x49eb88]
> /usr/lib/libACE.so.5.5.1(_ZN18ACE_Thread_Adapter6invokeEv+0x66)[0x49ed56]
> /usr/lib/libACE.so.5.5.1(ace_thread_adapter+0x11)[0x434331]
> /lib/libpthread.so.0[0xd792db]
> /lib/libc.so.6(clone+0x5e)[0x1ce14e]
> ======= Memory map: ========
> 00101000-00238000 r-xp 00000000 08:03 13456086 /lib/libc-2.5.so
> 00238000-0023a000 r-xp 00137000 08:03 13456086 /lib/libc-2.5.so
> 0023a000-0023b000 rwxp 00139000 08:03 13456086 /lib/libc-2.5.so
> 0023b000-0023e000 rwxp 0023b000 00:00 0
> 0023e000-0035a000 r-xp 00000000 08:03 13456106 /lib/libcrypto.so.0.9.8b
> 0035a000-0036c000 rwxp 0011c000 08:03 13456106 /lib/libcrypto.so.0.9.8b
> 0036c000-00370000 rwxp 0036c000 00:00 0
> 00376000-0038f000 r-xp 00000000 08:03 13454672 /lib/ld-2.5.so
> 0038f000-00390000 r-xp 00018000 08:03 13454672 /lib/ld-2.5.so
> 00390000-00391000 rwxp 00019000 08:03 13454672 /lib/ld-2.5.so
> 00393000-00395000 r-xp 00000000 08:03 1113037 /usr/lib/libsctp.so.1.0.6
> 00395000-00396000 rwxp 00001000 08:03 1113037 /usr/lib/libsctp.so.1.0.6
> 00398000-004ee000 r-xp 00000000 08:03 9265511 /usr/lib/libACE.so.5.5.1
> 004ee000-004f9000 rwxp 00155000 08:03 9265511 /usr/lib/libACE.so.5.5.1
> 004f9000-004fa000 rwxp 004f9000 00:00 0
> 004fa000-00509000 r-xp 00000000 08:03 13456101 /lib/libresolv-2.5.so
> 00509000-0050a000 r-xp 0000e000 08:03 13456101 /lib/libresolv-2.5.so
> 0050a000-0050b000 rwxp 0000f000 08:03 13456101 /lib/libresolv-2.5.so
> 0050b000-0050d000 rwxp 0050b000 00:00 0
> 00539000-00549000 r-xp 00000000 08:03 1113026 /usr/lib/libACE_SSL.so.5.5.1
> 00549000-0054a000 rwxp 00010000 08:03 1113026 /usr/lib/libACE_SSL.so.5.5.1
> 0056b000-0056d000 r-xp 00000000 08:03 13456105 /lib/libcom_err.so.2.1
> 0056d000-0056e000 rwxp 00001000 08:03 13456105 /lib/libcom_err.so.2.1
> 00570000-00595000 r-xp 00000000 08:03 1113103 /usr/lib/libk5crypto.so.3.0
> 00595000-00596000 rwxp 00025000 08:03 1113103 /usr/lib/libk5crypto.so.3.0
> 00598000-005c2000 r-xp 00000000 08:03 1113105 /usr/lib/libgssapi_krb5.so.2.2
> 005c2000-005c3000 rwxp 00029000 08:03 1113105 /usr/lib/libgssapi_krb5.so.2.2
> 005c5000-0064b000 r-xp 00000000 08:03 1113104 /usr/lib/libkrb5.so.3.2
> 0064b000-0064d000 rwxp 00086000 08:03 1113104 /usr/lib/libkrb5.so.3.2
> 0064f000-00656000 r-xp 00000000 08:03 1113102 /usr/lib/libkrb5support.so.0.1
> 00656000-00657000 rwxp 00006000 08:03 1113102 /usr/lib/libkrb5support.so.0.1
> 00659000-0069a000 r-xp 00000000 08:03 13454565 /lib/libssl.so.0.9.8b
> 0069a000-0069e000 rwxp 00040000 08:03 13454565 /lib/libssl.so.0.9.8b
> 0075b000-0076d000 r-xp 00000000 08:03 1113035 /usr/lib/libACEXML_Parser.so.5.5.1
> 0076d000-0076e000 rwxp 00011000 08:03 1113035 /usr/lib/libACEXML_Parser.so.5.5.1
> 00ab0000-00ad2000 r-xp 00000000 08:03 1113034 /usr/lib/libACEXML.so.5.5.1
> 00ad2000-00ad4000 rwxp 00021000 08:03 1113034 /usr/lib/libACEXML.so.5.5.1
> 00be6000-00bef000 r-xp 00000000 08:03 13454537 /lib/libnss_files-2.5.so
> 00bef000-00bf0000 r-xp 00008000 08:03 13454537 /lib/libnss_files-2.5.so
> 00bf0000-00bf1000 rwxp 00009000 08:03 13454537 /lib/libnss_files-2.5.so
> 00d45000-00d6a000 r-xp 00000000 08:03 13456093 /lib/libm-2.5.so
> 00d6a000-00d6b000 r-xp 00024000 08:03 13456093 /lib/libm-2.5.so
> 00d6b000-00d6c000 rwxp 00025000 08:03 13456093 /lib/libm-2.5.so
> 00d6e000-00d70000 r-xp 00000000 08:03
> Program received signal SIGABRT, Aborted.
> [Switching to Thread -1314927728 (LWP 30926)]
> 0x00dd9402 in __kernel_vsyscall ()
> (gdb) bt full
> #0 0x00dd9402 in __kernel_vsyscall ()
> No symbol table info available.
> #1 0x00129c00 in raise () from /lib/libc.so.6
> No symbol table info available.
> #2 0x0012b451 in abort () from /lib/libc.so.6
> No symbol table info available.
> #3 0x0015f21b in __libc_message () from /lib/libc.so.6
> No symbol table info available.
> #4 0x00166f7d in _int_free () from /lib/libc.so.6
> No symbol table info available.
> #5 0x0016a5d0 in free () from /lib/libc.so.6
> No symbol table info available.
> #6 0x072c5ef1 in operator delete () from /usr/lib/libstdc++.so.6
> No symbol table info available.
> #7 0x004604c8 in ~ACE_Message_Block (this=0x23b120) at Message_Block.cpp:955
> No locals.
> #8 0x004603d2 in ACE_Message_Block::release_i (this=0x8c17438, lock=0x0) at Message_Block.cpp:921
> result = 146895928
> #9 0x00461dcc in ACE_Message_Block::release (this=0x8c17438) at Message_Block.cpp:863
> tmp = (ACE_Data_Block *) 0x0
> destroy_dblock = <value optimized out>
> lock = <value optimized out>
> #10 0x08072dfc in AAAMessageBlock::Release (this=0x8c17438) at ../include/aaa_parser_defs.h:700
> No locals.
> #11 0x08088145 in DiameterRxMsgCollector::Message (this=0x8bf1600, data=0x8bf1728, length=0) at src/aaa_transport_collector.cxx:220
> eCode = 3009
> eType = AAA_PARSE_ERROR_TYPE_NORMAL
> st = (DiameterErrorCode &) @0x8bf10c8: {<AAAErrorCode> = {_vptr.AAAErrorCode = 0x80e36b8, type = AAA_PARSE_ERROR_TYPE_NORMAL, code = 3009}, avp = {
> static npos = 4294967295, _M_dataplus = {<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data fields>},
> _M_p = 0x8bf1064 ""}}}
> aBuffer = (AAAMessageBlock *) 0x8c17438
> msg = {_M_ptr = 0x8c13d58}
> hdr = {ver = 1 '\001', length = 256, flags = {r = 1 '\001', p = 0 '\0', e = 0 '\0', t = 0 '\0', rsvd = 0 '\0'}, code = 257, appId = 0, hh = 0,
> ee = 0, dictHandle = 0xb3828da0}
> r_bytes = 256
> bHasHeaderError = false
> eDesc = {static npos = 4294967295,
> _M_dataplus = {<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0x8bf1064 ""}}
> #12 0x0806082e in Diameter_IO<Diameter_ACE_Transport<ACE_SOCK_Acceptor, ACE_SOCK_Connector, ACE_SOCK_Stream, ACE_INET_Addr, 6>, DiameterRxMsgCollector>::svc
> (this=0x8bf1598) at ./include/aaa_transport_interface.h:198
> bytes = 256
> guard = {lock = @0x8bf1a2c}
> #13 0x0049e1c6 in ACE_Task_Base::svc_run (args=0x8bf1598) at Task.cpp:258
> svc_status = <value optimized out>
> #14 0x0049eb88 in ACE_Thread_Adapter::invoke_i (this=0x8c124b0) at Thread_Adapter.cpp:151
> hook = (class ACE_Thread_Hook *) 0x6
> func = (ACE_THR_FUNC) 0x49e170 <ACE_Task_Base::svc_run(void*)>
> arg = (void *) 0x8bf1598
> status = (ACE_THR_FUNC_RETURN) 0x0
> #15 0x0049ed56 in ACE_Thread_Adapter::invoke (this=0x8c124b0) at Thread_Adapter.cpp:95
> exit_hook_instance = (ACE_Thread_Exit *) 0x8c12158
> ---Type <return> to continue, or q <return> to quit---
> exit_hook_maybe = {instance_ = 0x0}
> exit_hook_ptr = (ACE_Thread_Exit *) 0x8c12158
> #16 0x00434331 in ace_thread_adapter (args=0x8c124b0) at Base_Thread_Adapter.cpp:137
> status = (ACE_THR_FUNC_RETURN) 0x0
> #17 0x00d792db in start_thread () from /lib/libpthread.so.0
> No symbol table info available.
> #18 0x001ce14e in clone () from /lib/libc.so.6
> No symbol table info available.
> (gdb)
Logged In: NO
There seems to be an extra aBuffer->Release(). Removing it fixes a similar problem for me.
G. Paul Ziemba <pz-diameter-developers@treehouse.napa.ca.us>
--- libdiameter/src/aaa_transport_collector.cxx.orig Thu Mar 1 08:46:38 2007
+++ libdiameter/src/aaa_transport_collector.cxx Thu May 8 09:57:29 2008
@@ -217,7 +217,6 @@
SendFailedAvp(st);
- aBuffer->Release();
m_Offset -= m_MsgLength;
ACE_OS::memcpy(m_Buffer, m_Buffer + m_Offset,
m_MsgLength);