upnpd segfaults in libc*.so
Status: Beta
Brought to you by:
krazydime
Menu
▾
▴
#6 upnpd segfaults in libc*.so
Reported by some Debian users, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499827
upnpd[10145]: segfault at 7 ip b7e8a0a9 sp b4df81d0 error 4 in
libc-2.7.so[b7e1a000+155000]
Mar 4 07:04:46 rover upnpd[18238]: ExpireMapping: Proto:UDP Port:4500
Mar 4 07:05:26 rover kernel: [476754.504058] upnpd[18241]: segfault at 90d46ee ip b7e6f8f7 sp b6de9bd8 error 4 in libc-2.7.so[b7e05000+138000]
Mar 8 00:57:42 rover upnpd[31797]: ExpireMapping: Proto:UDP Port:5353
Mar 8 00:57:42 rover upnpd[31797]: ExpireMapping: Proto:UDP Port:4500
Mar 8 00:58:27 rover kernel: [800334.797920] upnpd[31805]: segfault at a19072e ip b7eb98f7 sp b4633848 error 4 in libc-2.7.so[b7e4f000+138000]
Mar 11 09:27:36 rover upnpd[31747]: *** glibc detected *** /usr/sbin/
upnpd: malloc(): memory corruption (fast): 0x08198d30 ***
Valgrind logs:
==9510== Thread 12:
==9510== Invalid write of size 4
==9510== at 0x804A0A0: free_expiration_event (gatedevice.c:770)
==9510== by 0x804A42F: ExpireMapping (gatedevice.c:797)
==9510== by 0x404871B: WorkerThread (ThreadPool.c:573)
==9510== by 0x4197F3A: start_thread (pthread_create.c:297)
==9510== by 0x411EBED: clone (in /usr/lib/debug/libc-2.7.so)
==9510== Address 0x434c01c is 108 bytes inside a block of size 124
free'd
==9510== at 0x4021B8A: free (vg_replace_malloc.c:323)
==9510== by 0x804C62A: pmlist_Delete (pmlist.c:206)
==9510== by 0x804A3A4: ExpireMapping (gatedevice.c:788)
==9510== by 0x404871B: WorkerThread (ThreadPool.c:573)
==9510== by 0x4197F3A: start_thread (pthread_create.c:297)
==9510== by 0x411EBED: clone (in /usr/lib/debug/libc-2.7.so)
==7610== Thread 9:
==7610== Invalid read of size 1
==7610== at 0x402377E: strcmp (mc_replace_strmem.c:337)
==7610== by 0x804B895: HandleActionRequest (gatedevice.c:121)
==7610== by 0x804BD92: EventHandler (gatedevice.c:36)
==7610== by 0x403128D: handle_invoke_action (soap_device.c:972)
==7610== by 0x40316D0: soap_device_callback (soap_device.c:1062)
==7610== by 0x40329AC: handle_request (miniserver.c:196)
==7610== by 0x404871B: WorkerThread (ThreadPool.c:573)
==7610== by 0x4197F3A: start_thread (pthread_create.c:297)
==7610== by 0x411EBED: clone (in /usr/lib/debug/libc-2.7.so)
==7610== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==7610==
==7610== Process terminating with default action of signal 11 (SIGSEGV)
==7610== Access not within mapped region at address 0x0
Many thanks indeed to Rob Leslie for persistent investigation over a period of some years:
"It may be premature (there could still be other unresolved issues), but I have not yet encountered any problems after deploying the attached patch.
--
Rob Leslie"
Patch from Rob Leslie to nuke freed pointer in ExpireMapping()