Menu

#7 SEGV when logging IORs with %n on Linux

v2.6
open
nobody
None
5
2010-10-15
2010-10-15
No

When logging unreachable proxies possible printf directives in the string are not escaped.
We've tested this running version 2.6.2 on a Ubuntu 8.04 machine

[New process 25288]
#0 0xb785d64d in vfprintf () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0 0xb785d64d in vfprintf () from /lib/tls/i686/cmov/libc.so.6
#1 0xb78ef4e6 in __vsyslog_chk () from /lib/tls/i686/cmov/libc.so.6
#2 0xb78ef6da in syslog () from /lib/tls/i686/cmov/libc.so.6
#3 0x0804ec8d in OmniEvents::DaemonImpl::log (
message=0x807847c "Object failure: IDL:omg.org/CosEventComm/PushConsumer:1.0 \".%n.L..Y1.....\" at eld-yog1:33681 threw TRANSIENT (TRANSIENT_ConnectFailed)\n") at daemon_unix.cc:288
#4 0xb7db90d2 in omniORB::logger::~logger () from /usr/lib/libomniORB4.so.1
#5 0xb7f18e30 in OmniEvents::Orb::reportObjectFailure (this=0xb7f977c0, here=0xb7f61e6d "ProxyPushSupplier.cc:325", obj=0x8073854,
ex=0x80695a8) at Orb.cc:248
#6 0xb7f2c3ca in OmniEvents::ProxyPushSupplier_i::trigger (this=0x8073388, busy=@0xb680d39b, waiting=@0xb680d39a)
at ProxyPushSupplier.cc:325
#7 0xb7f2a6f9 in OmniEvents::ProxyPushSupplierManager::run_undetached (this=0x8072c80) at ProxyPushSupplier.cc:169
#8 0xb7aaac4d in omni_thread_wrapper () from /usr/lib/libomnithread.so.3
#9 0xb79714fb in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#10 0xb78f2e5e in clone () from /lib/tls/i686/cmov/libc.so.6

==========================

A catior of a this IOR shows the ID with printf directives:
Type ID: "IDL:omg.org/CosEventComm/PushConsumer:1.0"
Profiles:
1. IIOP 1.2 ibi-yog1 43568 "....L..%n....."
TAG_ORB_TYPE omniORB
TAG_CODE_SETS char native code set: ISO-8859-1
char conversion code set: UTF-8
wchar native code set: UTF-16
wchar conversion code set: UTF-16

==========================

The proposed patch is to write messages to syslog using the %s printf directive and passing the message as a printf arg:

--- daemon_unix.cc_old 2010-10-15 12:40:56.000000000 +0200
+++ daemon_unix.cc 2010-10-15 11:54:13.000000000 +0200
@@ -285,7 +285,7 @@
}
}
// Send the message.
- ::syslog(priority,message);
+ ::syslog(priority,"%s",message);
#ifndef LOG_PERROR
// If we don't have LOG_PERROR, then we'll have to manually send
// log messages to stderr.

==========================
We've tested it and now these messages are logged correctly.

Discussion


Log in to post a comment.