Bug 253786 - segv during ushare startup
Summary: segv during ushare startup
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: libupnp
Version: 7
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Eric Tanguy
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-21 22:29 UTC by Frank Ch. Eigler
Modified: 2008-02-26 18:59 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-26 18:59:38 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Frank Ch. Eigler 2007-08-21 22:29:55 UTC
ushare crashes during startup on x86-64.  An i386 build of the same package/sources
works fine.  Versions:
  ushare-1.0-1.fc7
  libupnp-1.6.0-1.fc7
Here's a backtrace:
uShare (version 1.0), a lightweight UPnP Media Server.
Benjamin Zores (C) 2005-2007, for GeeXboX Team.
See http://ushare.geexbox.org/ for updates.
Initializing UPnP subsystem ...
[New Thread 1075841360 (LWP 3814)]
[New Thread 1077942608 (LWP 3815)]
[New Thread 1080043856 (LWP 3816)]
[New Thread 1082145104 (LWP 3817)]
[New Thread 1084246352 (LWP 3818)]
[New Thread 1086347600 (LWP 3819)]
[New Thread 1088448848 (LWP 3820)]
[New Thread 1090550096 (LWP 3821)]
UPnP MediaServer listening on 192.168.1.10:49152
Sending UPnP advertisement for device ...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912502831952 (LWP 3813)]
0x00002aaaaaaea388 in membuffer_insert (m=0x7fffd31e6180, buf=0x2aaaaaaf850b, 
    buf_len=46909632806913, index=<value optimized out>)
    at /usr/include/bits/string3.h:51
51        return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) p __dest
No symbol "__dest" in current context.
(gdb) up
#1  0x00002aaaaaaec740 in http_MakeMessage (buf=0x7fffd31e6180, 
    http_major_version=1, http_minor_version=1, fmt=0x2aaaaaaf92ad "sdsdc")
    at src/genlib/net/http/httpreadwrite.c:1832
1832                if( membuffer_append
(gdb) l
1827                if( membuffer_append( buf, s, strlen( s ) ) != 0 ) {
1828                    goto error_handler;
1829                }
1830            } else if( c == 'K' ) {
1831                // Add Chunky header
1832                if( membuffer_append
1833                    ( buf, "TRANSFER-ENCODING: chunked\r\n",
1834                      strlen( "Transfer-Encoding: chunked\r\n" ) ) != 0 ) {
1835                    goto error_handler;
1836                }

The buf_len value is silly.  It gets corrupted just before:

(gdb) 
Continuing.

Breakpoint 1, membuffer_set_size (m=0x7fff2c4fa4b0, new_length=140733193388040)
    at src/genlib/util/membuffer.c:202
202     {
(gdb) bt
#0  membuffer_set_size (m=0x7fff2c4fa4b0, new_length=140733193388040)
    at src/genlib/util/membuffer.c:202
#1  0x00002aaaaaaea355 in membuffer_insert (m=0x7fff2c4fa4b0, 
    buf=0x2aaaaaaf850b, buf_len=140733193388033, index=7)
    at src/genlib/util/membuffer.c:450
#2  0x00002aaaaaaec740 in http_MakeMessage (buf=0x7fff2c4fa4b0, 
    http_major_version=1, http_minor_version=1, fmt=0x2aaaaaaf92ad "sdsdc")
    at src/genlib/net/http/httpreadwrite.c:1832
#3  0x00002aaaaaaecc79 in http_MakeMessage (buf=0x7fff2c4fa4b0, 
    http_major_version=1, http_minor_version=1, 
    fmt=0x2aaaaaaf850e "sssdcsdcsscsscsscSXcsscc")
    at src/genlib/net/http/httpreadwrite.c:1993
#4  0x00002aaaaaae474f in CreateServicePacket (msg_type=0, 
    nt=0x2aaaaaaf854f "upnp:rootdevice", 
    usn=0x7fff2c4fa540
"uuid:898f9738-d930-4db4-a3cf-00188b40dbe3::upnp:rootdevice", location=0x616728
"http://192.168.1.10:49152/description.xml", 
    duration=1800, packet=0x7fff2c4fa520) at src/ssdp/ssdp_device.c:334

(gdb) frame 2
#2  0x00002aaaaaaec740 in http_MakeMessage (buf=0x7fff2c4fa4b0, 
    http_major_version=1, http_minor_version=1, fmt=0x2aaaaaaf92ad "sdsdc")
    at src/genlib/net/http/httpreadwrite.c:1832
1832                if( membuffer_append
(gdb) p *buf
$7 = {buf = 0x616e00 "NOTIFY ", length = 7, capacity = 30, size_inc = 30}
(gdb) l
1827                if( membuffer_append( buf, s, strlen( s ) ) != 0 ) {
1828                    goto error_handler;
1829                }
1830            } else if( c == 'K' ) {
1831                // Add Chunky header
1832                if( membuffer_append
1833                    ( buf, "TRANSFER-ENCODING: chunked\r\n",
1834                      strlen( "Transfer-Encoding: chunked\r\n" ) ) != 0 ) {
1835                    goto error_handler;
1836                }

(gdb) frame 1
#1  0x00002aaaaaaea355 in membuffer_insert (m=0x7fff2c4fa4b0, 
    buf=0x2aaaaaaf850b, buf_len=140733193388033, index=7)
    at src/genlib/util/membuffer.c:450
450         return_code = membuffer_set_size( m, m->length + buf_len );
(gdb) l
445
446         if( buf == NULL || buf_len == 0 ) {
447             return 0;
448         }
449         // alloc mem
450         return_code = membuffer_set_size( m, m->length + buf_len );
451         if( return_code != 0 ) {
452             return return_code;
453         }
454         // insert data
(gdb) p m->length
$10 = 7
(gdb) p buf_len
$11 = 140733193388033

Comment 1 Eric Tanguy 2007-08-22 06:30:34 UTC
thanks for the report but the best is to report this upstream ushare.geexbox.org.


Note You need to log in before you can comment on or make changes to this bug.