Bug 253786 - segv during ushare startup
segv during ushare startup
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: libupnp (Show other bugs)
7
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Eric Tanguy
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-21 18:29 EDT by Frank Ch. Eigler
Modified: 2008-02-26 13:59 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-26 13:59:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frank Ch. Eigler 2007-08-21 18:29:55 EDT
ushare crashes during startup on x86-64.  An i386 build of the same package/sources
works fine.  Versions:
  ushare-1.0-1.fc7
  libupnp-1.6.0-1.fc7
Here's a backtrace:
uShare (version 1.0), a lightweight UPnP Media Server.
Benjamin Zores (C) 2005-2007, for GeeXboX Team.
See http://ushare.geexbox.org/ for updates.
Initializing UPnP subsystem ...
[New Thread 1075841360 (LWP 3814)]
[New Thread 1077942608 (LWP 3815)]
[New Thread 1080043856 (LWP 3816)]
[New Thread 1082145104 (LWP 3817)]
[New Thread 1084246352 (LWP 3818)]
[New Thread 1086347600 (LWP 3819)]
[New Thread 1088448848 (LWP 3820)]
[New Thread 1090550096 (LWP 3821)]
UPnP MediaServer listening on 192.168.1.10:49152
Sending UPnP advertisement for device ...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912502831952 (LWP 3813)]
0x00002aaaaaaea388 in membuffer_insert (m=0x7fffd31e6180, buf=0x2aaaaaaf850b, 
    buf_len=46909632806913, index=<value optimized out>)
    at /usr/include/bits/string3.h:51
51        return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) p __dest
No symbol "__dest" in current context.
(gdb) up
#1  0x00002aaaaaaec740 in http_MakeMessage (buf=0x7fffd31e6180, 
    http_major_version=1, http_minor_version=1, fmt=0x2aaaaaaf92ad "sdsdc")
    at src/genlib/net/http/httpreadwrite.c:1832
1832                if( membuffer_append
(gdb) l
1827                if( membuffer_append( buf, s, strlen( s ) ) != 0 ) {
1828                    goto error_handler;
1829                }
1830            } else if( c == 'K' ) {
1831                // Add Chunky header
1832                if( membuffer_append
1833                    ( buf, "TRANSFER-ENCODING: chunked\r\n",
1834                      strlen( "Transfer-Encoding: chunked\r\n" ) ) != 0 ) {
1835                    goto error_handler;
1836                }

The buf_len value is silly.  It gets corrupted just before:

(gdb) 
Continuing.

Breakpoint 1, membuffer_set_size (m=0x7fff2c4fa4b0, new_length=140733193388040)
    at src/genlib/util/membuffer.c:202
202     {
(gdb) bt
#0  membuffer_set_size (m=0x7fff2c4fa4b0, new_length=140733193388040)
    at src/genlib/util/membuffer.c:202
#1  0x00002aaaaaaea355 in membuffer_insert (m=0x7fff2c4fa4b0, 
    buf=0x2aaaaaaf850b, buf_len=140733193388033, index=7)
    at src/genlib/util/membuffer.c:450
#2  0x00002aaaaaaec740 in http_MakeMessage (buf=0x7fff2c4fa4b0, 
    http_major_version=1, http_minor_version=1, fmt=0x2aaaaaaf92ad "sdsdc")
    at src/genlib/net/http/httpreadwrite.c:1832
#3  0x00002aaaaaaecc79 in http_MakeMessage (buf=0x7fff2c4fa4b0, 
    http_major_version=1, http_minor_version=1, 
    fmt=0x2aaaaaaf850e "sssdcsdcsscsscsscSXcsscc")
    at src/genlib/net/http/httpreadwrite.c:1993
#4  0x00002aaaaaae474f in CreateServicePacket (msg_type=0, 
    nt=0x2aaaaaaf854f "upnp:rootdevice", 
    usn=0x7fff2c4fa540
"uuid:898f9738-d930-4db4-a3cf-00188b40dbe3::upnp:rootdevice", location=0x616728
"http://192.168.1.10:49152/description.xml", 
    duration=1800, packet=0x7fff2c4fa520) at src/ssdp/ssdp_device.c:334

(gdb) frame 2
#2  0x00002aaaaaaec740 in http_MakeMessage (buf=0x7fff2c4fa4b0, 
    http_major_version=1, http_minor_version=1, fmt=0x2aaaaaaf92ad "sdsdc")
    at src/genlib/net/http/httpreadwrite.c:1832
1832                if( membuffer_append
(gdb) p *buf
$7 = {buf = 0x616e00 "NOTIFY ", length = 7, capacity = 30, size_inc = 30}
(gdb) l
1827                if( membuffer_append( buf, s, strlen( s ) ) != 0 ) {
1828                    goto error_handler;
1829                }
1830            } else if( c == 'K' ) {
1831                // Add Chunky header
1832                if( membuffer_append
1833                    ( buf, "TRANSFER-ENCODING: chunked\r\n",
1834                      strlen( "Transfer-Encoding: chunked\r\n" ) ) != 0 ) {
1835                    goto error_handler;
1836                }

(gdb) frame 1
#1  0x00002aaaaaaea355 in membuffer_insert (m=0x7fff2c4fa4b0, 
    buf=0x2aaaaaaf850b, buf_len=140733193388033, index=7)
    at src/genlib/util/membuffer.c:450
450         return_code = membuffer_set_size( m, m->length + buf_len );
(gdb) l
445
446         if( buf == NULL || buf_len == 0 ) {
447             return 0;
448         }
449         // alloc mem
450         return_code = membuffer_set_size( m, m->length + buf_len );
451         if( return_code != 0 ) {
452             return return_code;
453         }
454         // insert data
(gdb) p m->length
$10 = 7
(gdb) p buf_len
$11 = 140733193388033
Comment 1 Eric Tanguy 2007-08-22 02:30:34 EDT
thanks for the report but the best is to report this upstream ushare.geexbox.org.

Note You need to log in before you can comment on or make changes to this bug.