You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Danek (JIRA)" <ji...@apache.org> on 2016/11/23 14:55:58 UTC

[jira] [Updated] (PROTON-1360) pn_strndup (util.c:150) Invalid write of size 1

     [ https://issues.apache.org/jira/browse/PROTON-1360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jiri Danek updated PROTON-1360:
-------------------------------
    Attachment: crash-cacbe90ba41be2fb116697da7a90bfd716812c7b
                minimized-from-9a77cc2e90542c5aa1e55a86d2c9920febb0ad68

I am attaching {{minimized-from-9a...}} which is automatically produced minimal input that also results in a memory access error.

> pn_strndup (util.c:150) Invalid write of size 1
> -----------------------------------------------
>
>                 Key: PROTON-1360
>                 URL: https://issues.apache.org/jira/browse/PROTON-1360
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-c
>    Affects Versions: 0.15.0, 0.16.0
>            Reporter: Jiri Danek
>         Attachments: crash-cacbe90ba41be2fb116697da7a90bfd716812c7b, minimized-from-9a77cc2e90542c5aa1e55a86d2c9920febb0ad68
>
>
> {noformat}
> nc -l 127.0.0.1 5672 < ./crash-cacbe90ba41be2fb116697da7a90bfd716812c7b
> {noformat}
> On 0.15.0, do
> {noformat}
> [qpid-proton-0.15.0/build/examples/c/messenger] $ valgrind ./recv 127.0.0.1/jms.queue.example
> ==5749== Memcheck, a memory error detector
> ==5749== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==5749== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
> ==5749== Command: ./recv 127.0.0.1/jms.queue.example
> ==5749== 
> ==5749== Invalid write of size 1
> ==5749==    at 0x4C2D13C: __strncpy_sse2_unaligned (vg_replace_strmem.c:548)
> ==5749==    by 0x4E4AD80: pn_strndup (util.c:259)
> ==5749==    by 0x4E5A7BE: pn_bytes_strdup (transport.c:1153)
> ==5749==    by 0x4E5A7BE: pn_do_open (transport.c:1198)
> ==5749==    by 0x4E52B6A: pni_dispatch_action (dispatcher.c:74)
> ==5749==    by 0x4E52B6A: pni_dispatch_frame (dispatcher.c:116)
> ==5749==    by 0x4E52B6A: pn_dispatcher_input (dispatcher.c:135)
> ==5749==    by 0x4E5906B: pn_input_read_amqp (transport.c:2523)
> ==5749==    by 0x4E59129: transport_consume (transport.c:1799)
> ==5749==    by 0x4E5C971: pn_transport_process (transport.c:2908)
> ==5749==    by 0x4E646F3: pni_connection_readable (messenger.c:262)
> ==5749==    by 0x4E6482F: pn_messenger_process (messenger.c:1367)
> ==5749==    by 0x4E649E0: pn_messenger_tsync (messenger.c:1439)
> ==5749==    by 0x4E64F94: pn_messenger_recv (messenger.c:2212)
> ==5749==    by 0x4012A4: main (recv.c:131)
> ==5749==  Address 0x772d641 is 0 bytes after a block of size 1 alloc'd
> ==5749==    at 0x4C29BE3: malloc (vg_replace_malloc.c:299)
> ==5749==    by 0x4E4AD6A: pn_strndup (util.c:257)
> ==5749==    by 0x4E5A7BE: pn_bytes_strdup (transport.c:1153)
> ==5749==    by 0x4E5A7BE: pn_do_open (transport.c:1198)
> ==5749==    by 0x4E52B6A: pni_dispatch_action (dispatcher.c:74)
> ==5749==    by 0x4E52B6A: pni_dispatch_frame (dispatcher.c:116)
> ==5749==    by 0x4E52B6A: pn_dispatcher_input (dispatcher.c:135)
> ==5749==    by 0x4E5906B: pn_input_read_amqp (transport.c:2523)
> ==5749==    by 0x4E59129: transport_consume (transport.c:1799)
> ==5749==    by 0x4E5C971: pn_transport_process (transport.c:2908)
> ==5749==    by 0x4E646F3: pni_connection_readable (messenger.c:262)
> ==5749==    by 0x4E6482F: pn_messenger_process (messenger.c:1367)
> ==5749==    by 0x4E649E0: pn_messenger_tsync (messenger.c:1439)
> ==5749==    by 0x4E64F94: pn_messenger_recv (messenger.c:2212)
> ==5749==    by 0x4012A4: main (recv.c:131)
> ==5749== 
> Address: jms.queue.example
> Subject: (no subject)
> Content: "test message: 26"
> {noformat}
> On 0.16.0 you can do
> {noformat}
> [proactor]$ valgrind ./libuv_receive -a 127.0.0.1:5672/jms.queue.example -m 2
> ==26215== Memcheck, a memory error detector
> ==26215== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==26215== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
> ==26215== Command: ./libuv_receive -a 127.0.0.1:5672/jms.queue.example -m 2
> ==26215== 
> ==26215== Invalid write of size 1
> ==26215==    at 0x4C2E284: __strncpy_sse2_unaligned (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==26215==    by 0x4E4CF71: pn_strndup (util.c:150)
> ==26215==    by 0x4E5B0EE: pn_bytes_strdup (transport.c:1154)
> ==26215==    by 0x4E5B0EE: pn_do_open (transport.c:1199)
> ==26215==    by 0x4E53270: pni_dispatch_action (dispatcher.c:74)
> ==26215==    by 0x4E53270: pni_dispatch_frame (dispatcher.c:116)
> ==26215==    by 0x4E53270: pn_dispatcher_input (dispatcher.c:135)
> ==26215==    by 0x4E599BB: pn_input_read_amqp (transport.c:2524)
> ==26215==    by 0x4E59A89: transport_consume (transport.c:1800)
> ==26215==    by 0x4E5D115: pn_transport_process (transport.c:2909)
> ==26215==    by 0x404EBB: on_read (libuv_proactor.c:511)
> ==26215==    by 0x509A2FC: ??? (in /usr/lib/libuv.so.1.0.0)
> ==26215==    by 0x509AC0B: ??? (in /usr/lib/libuv.so.1.0.0)
> ==26215==    by 0x509F937: uv__io_poll (in /usr/lib/libuv.so.1.0.0)
> ==26215==    by 0x50912B3: uv_run (in /usr/lib/libuv.so.1.0.0)
> ==26215==  Address 0x69c28d1 is 0 bytes after a block of size 1 alloc'd
> ==26215==    at 0x4C2AB8D: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==26215==    by 0x4E4CF5B: pn_strndup (util.c:148)
> ==26215==    by 0x4E5B0EE: pn_bytes_strdup (transport.c:1154)
> ==26215==    by 0x4E5B0EE: pn_do_open (transport.c:1199)
> ==26215==    by 0x4E53270: pni_dispatch_action (dispatcher.c:74)
> ==26215==    by 0x4E53270: pni_dispatch_frame (dispatcher.c:116)
> ==26215==    by 0x4E53270: pn_dispatcher_input (dispatcher.c:135)
> ==26215==    by 0x4E599BB: pn_input_read_amqp (transport.c:2524)
> ==26215==    by 0x4E59A89: transport_consume (transport.c:1800)
> ==26215==    by 0x4E5D115: pn_transport_process (transport.c:2909)
> ==26215==    by 0x404EBB: on_read (libuv_proactor.c:511)
> ==26215==    by 0x509A2FC: ??? (in /usr/lib/libuv.so.1.0.0)
> ==26215==    by 0x509AC0B: ??? (in /usr/lib/libuv.so.1.0.0)
> ==26215==    by 0x509F937: uv__io_poll (in /usr/lib/libuv.so.1.0.0)
> ==26215==    by 0x50912B3: uv_run (in /usr/lib/libuv.so.1.0.0)
> ==26215== 
> "test message: 26"
> ^C==26215== 
> ==26215== Process terminating with default action of signal 2 (SIGINT)
> ==26215==    at 0x5EB2F19: syscall (in /usr/lib/libc-2.24.so)
> ==26215==    by 0x50A1579: uv__epoll_wait (in /usr/lib/libuv.so.1.0.0)
> ==26215==    by 0x509F883: uv__io_poll (in /usr/lib/libuv.so.1.0.0)
> ==26215==    by 0x50912B3: uv_run (in /usr/lib/libuv.so.1.0.0)
> ==26215==    by 0x405514: pn_proactor_wait (libuv_proactor.c:709)
> ==26215==    by 0x403C9C: main (receive.c:194)
> ==26215== 
> ==26215== HEAP SUMMARY:
> ==26215==     in use at exit: 82,501 bytes in 737 blocks
> ==26215==   total heap usage: 860 allocs, 123 frees, 98,564 bytes allocated
> ==26215== 
> ==26215== LEAK SUMMARY:
> ==26215==    definitely lost: 0 bytes in 0 blocks
> ==26215==    indirectly lost: 0 bytes in 0 blocks
> ==26215==      possibly lost: 62,773 bytes in 733 blocks
> ==26215==    still reachable: 19,728 bytes in 4 blocks
> ==26215==         suppressed: 0 bytes in 0 blocks
> ==26215== Rerun with --leak-check=full to see details of leaked memory
> ==26215== 
> ==26215== For counts of detected and suppressed errors, rerun with: -v
> ==26215== ERROR SUMMARY: 6 errors from 1 contexts (suppressed: 0 from 0)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org