#90 Segfault in hash_drv

[Enrico Scholz]

I get a reproducible segfault in _hash_drv_seek(). There it is tried
to access 'rec = map->addr + offset + fpos;' which is outside of the
file.

Crash happens when reading *rec at

| while(rec->hashcode != hashcode && /* Match token */
| rec->hashcode != 0 && /* Insert on empty */
| iterations < map->max_seek) /* Max Iterations */
| {

--------

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb732bb90 (LWP 21466)]
0xb7330d78 in _hash_drv_seek (map=0x9b4cf30, offset=16147856, hashcode=8190488820513531703, flags=0) at hash_drv.c:1193
1193 hash_drv.c: No such file or directory.
in hash_drv.c
(gdb) bt
#0 0xb7330d78 in _hash_drv_seek (map=0x9b4cf30, offset=16147856, hashcode=8190488820513531703, flags=0) at hash_drv.c:1193
#1 0xb7331022 in _hash_drv_get_spamrecord (map=0x9b4cf30, wrec=0xb73262ac) at hash_drv.c:1281
#2 0xb732f75e in _ds_get_spamrecord (CTX=0x9b3b3f0, token=8190488820513531703, stat=0xb7326320) at hash_drv.c:758
#3 0xb7878267 in _ds_get_spamrecord (CTX=0x9b3b3f0, token=8190488820513531703, stat=0xb7326320) at storage_driver.c:133
#4 0xb732f4b6 in _ds_getall_spamrecords (CTX=0x9b3b3f0, diction=0x9b01290) at hash_drv.c:679
#5 0xb78783c1 in _ds_getall_spamrecords (CTX=0x9b3b3f0, diction=0x9b01290) at storage_driver.c:94
#6 0xb786c6e5 in _ds_operate (CTX=0x9b3b3f0, headers=0x9b39d58 "Message-ID: <HP-SERVER-1869qAr5z00006c6d@hp-server-186.arvatologistics.com.cn>", body=0x9b3d0e8 "Your") at libdspam.c:902
#7 0xb786d1b8 in dspam_process (CTX=0x9b3b3f0,
message=0x9b3b6c8 "Message-ID: <HP-SERVER-1869qAr5z00006c6d@hp-server-186.arvatologistics.com.cn>\nX-OriginalArrivalTime: 30 Jan 2010 23:02:21.0230 (UTC) FILETIME=[473C14E0:01CAA200]\nX-TM-AS-Product-Ver: SMEX-10.0.0.1412"...) at libdspam.c:593
#8 0x08053050 in process_message (ATX=0x9abda58, message=0x9b29128, username=0x9b3ecd8 "spampiggy", result_string=0xb7329a8c) at dspam.c:531
#9 0x08053d85 in process_users (ATX=0x9abda58, message=0x9abe5c8) at dspam.c:1892
#10 0x080563b4 in process_connection (ptr=0x9abd418) at daemon.c:737
#11 0xb785273b in start_thread () from /lib/libpthread.so.0
#12 0xb77d8cfe in clone () from /lib/libc.so.6

(gdb) info locals
header = (hash_drv_header_t) 0xb6abe590
rec = (hash_drv_spam_record_t) 0xb6b2b318
fpos = 445832
iterations = 0
(gdb) p *map
$3 = {addr = 0xb5b58000, fd = 6, file_len = 16591704, header = 0x9b19b00, filename = "/var/lib/dspam/data/s/p/spampiggy/spampiggy.css", '\0' <repeats 4048 times>, max_seek = 10, max_extents = 0, extent_size = 49157, pctincrease = 10, flags = 1}
(gdb) p *header
$5 = {hash_rec_max = 140241, totals = {spam_learned = 0, innocent_learned = 0, spam_misclassified = 0, innocent_misclassified = 0, spam_corpusfed = 0, innocent_corpusfed = 0, spam_classified = 0, innocent_classified = 0}, padding = "\000\000\000"}

(gdb) up
#1 0xb7366022 in _hash_drv_get_spamrecord (map=0x87aff30, wrec=0xb735b2ac) at hash_drv.c:1281
1281 in hash_drv.c
(gdb) info locals
rec = (hash_drv_spam_record_t) 0xb5e31b38
offset = 16147856
extents = 12
rec_offset = 0