Bug 253786

Summary: segv during ushare startup
Product: [Fedora] Fedora Reporter: Frank Ch. Eigler <fche>
Component: libupnpAssignee: Eric Tanguy <eric.tanguy>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-26 18:59:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frank Ch. Eigler 2007-08-21 22:29:55 UTC 
ushare crashes during startup on x86-64.  An i386 build of the same package/sources
works fine.  Versions:
  ushare-1.0-1.fc7
  libupnp-1.6.0-1.fc7
Here's a backtrace:
uShare (version 1.0), a lightweight UPnP Media Server.
Benjamin Zores (C) 2005-2007, for GeeXboX Team.
See http://ushare.geexbox.org/ for updates.
Initializing UPnP subsystem ...
[New Thread 1075841360 (LWP 3814)]
[New Thread 1077942608 (LWP 3815)]
[New Thread 1080043856 (LWP 3816)]
[New Thread 1082145104 (LWP 3817)]
[New Thread 1084246352 (LWP 3818)]
[New Thread 1086347600 (LWP 3819)]
[New Thread 1088448848 (LWP 3820)]
[New Thread 1090550096 (LWP 3821)]
UPnP MediaServer listening on 192.168.1.10:49152
Sending UPnP advertisement for device ...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912502831952 (LWP 3813)]
0x00002aaaaaaea388 in membuffer_insert (m=0x7fffd31e6180, buf=0x2aaaaaaf850b, 
    buf_len=46909632806913, index=<value optimized out>)
    at /usr/include/bits/string3.h:51
51        return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) p __dest
No symbol "__dest" in current context.
(gdb) up
#1  0x00002aaaaaaec740 in http_MakeMessage (buf=0x7fffd31e6180, 
    http_major_version=1, http_minor_version=1, fmt=0x2aaaaaaf92ad "sdsdc")
    at src/genlib/net/http/httpreadwrite.c:1832
1832                if( membuffer_append
(gdb) l
1827                if( membuffer_append( buf, s, strlen( s ) ) != 0 ) {
1828                    goto error_handler;
1829                }
1830            } else if( c == 'K' ) {
1831                // Add Chunky header
1832                if( membuffer_append
1833                    ( buf, "TRANSFER-ENCODING: chunked\r\n",
1834                      strlen( "Transfer-Encoding: chunked\r\n" ) ) != 0 ) {
1835                    goto error_handler;
1836                }

The buf_len value is silly.  It gets corrupted just before:

(gdb) 
Continuing.

Breakpoint 1, membuffer_set_size (m=0x7fff2c4fa4b0, new_length=140733193388040)
    at src/genlib/util/membuffer.c:202
202     {
(gdb) bt
#0  membuffer_set_size (m=0x7fff2c4fa4b0, new_length=140733193388040)
    at src/genlib/util/membuffer.c:202
#1  0x00002aaaaaaea355 in membuffer_insert (m=0x7fff2c4fa4b0, 
    buf=0x2aaaaaaf850b, buf_len=140733193388033, index=7)
    at src/genlib/util/membuffer.c:450
#2  0x00002aaaaaaec740 in http_MakeMessage (buf=0x7fff2c4fa4b0, 
    http_major_version=1, http_minor_version=1, fmt=0x2aaaaaaf92ad "sdsdc")
    at src/genlib/net/http/httpreadwrite.c:1832
#3  0x00002aaaaaaecc79 in http_MakeMessage (buf=0x7fff2c4fa4b0, 
    http_major_version=1, http_minor_version=1, 
    fmt=0x2aaaaaaf850e "sssdcsdcsscsscsscSXcsscc")
    at src/genlib/net/http/httpreadwrite.c:1993
#4  0x00002aaaaaae474f in CreateServicePacket (msg_type=0, 
    nt=0x2aaaaaaf854f "upnp:rootdevice", 
    usn=0x7fff2c4fa540
"uuid:898f9738-d930-4db4-a3cf-00188b40dbe3::upnp:rootdevice", location=0x616728
"http://192.168.1.10:49152/description.xml", 
    duration=1800, packet=0x7fff2c4fa520) at src/ssdp/ssdp_device.c:334

(gdb) frame 2
#2  0x00002aaaaaaec740 in http_MakeMessage (buf=0x7fff2c4fa4b0, 
    http_major_version=1, http_minor_version=1, fmt=0x2aaaaaaf92ad "sdsdc")
    at src/genlib/net/http/httpreadwrite.c:1832
1832                if( membuffer_append
(gdb) p *buf
$7 = {buf = 0x616e00 "NOTIFY ", length = 7, capacity = 30, size_inc = 30}
(gdb) l
1827                if( membuffer_append( buf, s, strlen( s ) ) != 0 ) {
1828                    goto error_handler;
1829                }
1830            } else if( c == 'K' ) {
1831                // Add Chunky header
1832                if( membuffer_append
1833                    ( buf, "TRANSFER-ENCODING: chunked\r\n",
1834                      strlen( "Transfer-Encoding: chunked\r\n" ) ) != 0 ) {
1835                    goto error_handler;
1836                }

(gdb) frame 1
#1  0x00002aaaaaaea355 in membuffer_insert (m=0x7fff2c4fa4b0, 
    buf=0x2aaaaaaf850b, buf_len=140733193388033, index=7)
    at src/genlib/util/membuffer.c:450
450         return_code = membuffer_set_size( m, m->length + buf_len );
(gdb) l
445
446         if( buf == NULL || buf_len == 0 ) {
447             return 0;
448         }
449         // alloc mem
450         return_code = membuffer_set_size( m, m->length + buf_len );
451         if( return_code != 0 ) {
452             return return_code;
453         }
454         // insert data
(gdb) p m->length
$10 = 7
(gdb) p buf_len
$11 = 140733193388033
Comment 1 Eric Tanguy 2007-08-22 06:30:34 UTC 
thanks for the report but the best is to report this upstream ushare.geexbox.org.