- To: bugs at gnu dot org
- Subject: libc/1594: Crashes at nss_nis/nis-service.c:72
- From: Enrico Scholz <Enrico dot Scholz at informatik dot tu-chemnitz dot de>
- Date: Thu, 10 Feb 2000 20:15:49 +0100
- Delivery-date: Thu, 10 Feb 2000 20:53:19 +0100
- Envelope-to: aj@localhost
- Resent-Cc: gnats-admin at gnu dot org
- Resent-Reply-To: bugs@gnu.org,Enrico Scholz <Enrico.Scholz@informatik.tu-chemnitz.de>
- Xref: gromit.rhein-neckar.de mail.gnats-libc-bugs:4698
>Number: 1594
>Category: libc
>Synopsis: Crashes at nss_nis/nis-service.c:72
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: libc-gnats
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Feb 10 14:20:01 EST 2000
>Last-Modified:
>Originator: Enrico Scholz
>Organization:
>Release: libc-2.1.3 (it is the glibc-2.1.3-6 RPM from Redhat-rawhide -- they are saying it is coming from CVS directly...)
>Environment:
Host type: i586-redhat-linux-gnu
System: Linux gkar.ultra.csn.tu-chemnitz.de 2.2.14 #1 Fre Jan 21 21:08:29 CET 2000 i586 unknown
Architecture: i586
Addons: crypt glibc-compat linuxthreads
Build CFLAGS: -D__USE_STRING_INLINES -fstrict-aliasing -mcpu=i586 -g -O3
Build CC: gcc
Compiler version: 2.95.2 19991024 (release)
Kernel headers: 2.2.14
Symbol versioning: yes
Build static: yes
Build shared: yes
Build pic-default: no
Build profile: yes
Build omitfp: no
Build bounded: no
Build static-nss: no
Stdio: libio
>Description:
When I try to mount a NFS directory a program logging the IP
traffic crashes sometimes:
-----------------
Program received signal SIGSEGV, Segmentation fault.
0x40138657 in saveit (instatus=1, inkey=0xbd7ff474 "2103/udp", inkeylen=8, inval=0xbd7ff454 "zephyr-clt\t2103/udp", invallen=19, indata=0xbd5ff618 "\210þ_½")
at nss_nis/nis-service.c:72
72 intern->next->next = malloc (sizeof (struct response_t));
----------------
or
----------------
0x40138657 in saveit (instatus=1, inkey=0xbd5ff464 "3130/tcp", inkeylen=8, inval=0xbd5ff454 "icp\t\t3130/tcp", invallen=13, indata=0xbd7ff618 "\210þ\177½")
at nss_nis/nis-service.c:72
72 intern->next->next = malloc (sizeof (struct response_t));
(gdb) thread apply all bt
Thread 20 (Thread 29802):
#0 0x40138657 in saveit (instatus=1, inkey=0xbd5ff464 "3130/tcp", inkeylen=8, inval=0xbd5ff454 "icp\t\t3130/tcp", invallen=13, indata=0xbd7ff618 "\210þ\177½")
at nss_nis/nis-service.c:72
#1 0x40146751 in __xdr_ypresp_all (xdrs=0x807448c, objp=0xbd5ff598) at ypclnt.c:648
#2 0x400edb40 in clnttcp_call (h=0x80744a8, proc=8, xdr_args=0x401452cc <xdr_ypreq_nokey>, args_ptr=0xbd5ff59c "ÀJ\025@Gç\023@\022", xdr_results=0x401465e0 <__xdr_ypresp_all>,
results_ptr=0xbd5ff598 "\001", timeout={tv_sec = 25, tv_usec = 0}) at clnt_tcp.c:318
#3 0x4014692e in yp_all (indomain=0x40154ac0 "ultra.csn.tu-chemnitz.de", inmap=0x4013e747 "services.byname", incallback=0xbd5ff60c) at ypclnt.c:713
#4 0x40138f35 in _nss_nis_getservbyport_r (port=36610, protocol=0x805c720 "tcp", serv=0xbd5ffab8, buffer=0xbd5ff6b4 "kauth", buflen=1024, errnop=0xbd5ffe88)
at nss_nis/nis-service.c:106
#5 0x400e61b3 in __getservbyport_r (port=36610, proto=0x805c720 "tcp", resbuf=0xbd5ffab8, buffer=0xbd5ff6b4 "kauth", buflen=1024, result=0xbd5ffab4) at ../nss/getXXbyYY_r.c:182
#6 0x8051a9b in serv_lookup (port=36610, proto=0x805c720 "tcp", buf=0xbd5ffb20 "", len=128) at iplog_util.c:163
#7 0x804ca3e in get_ident_data (data=0x80722e8) at iplog_ident.c:84
#8 0x40020ca2 in pthread_start_thread (arg=0xbd5ffe40) at manager.c:241
(gdb) bt
#0 0x40138657 in saveit (instatus=1, inkey=0xbd5ff464 "3130/tcp", inkeylen=8, inval=0xbd5ff454 "icp\t\t3130/tcp", invallen=13, indata=0xbd7ff618 "\210þ\177½")
at nss_nis/nis-service.c:72
#1 0x40146751 in __xdr_ypresp_all (xdrs=0x807448c, objp=0xbd5ff598) at ypclnt.c:648
#2 0x400edb40 in clnttcp_call (h=0x80744a8, proc=8, xdr_args=0x401452cc <xdr_ypreq_nokey>, args_ptr=0xbd5ff59c "ÀJ\025@Gç\023@\022", xdr_results=0x401465e0 <__xdr_ypresp_all>,
results_ptr=0xbd5ff598 "\001", timeout={tv_sec = 25, tv_usec = 0}) at clnt_tcp.c:318
#3 0x4014692e in yp_all (indomain=0x40154ac0 "ultra.csn.tu-chemnitz.de", inmap=0x4013e747 "services.byname", incallback=0xbd5ff60c) at ypclnt.c:713
#4 0x40138f35 in _nss_nis_getservbyport_r (port=36610, protocol=0x805c720 "tcp", serv=0xbd5ffab8, buffer=0xbd5ff6b4 "kauth", buflen=1024, errnop=0xbd5ffe88)
at nss_nis/nis-service.c:106
#5 0x400e61b3 in __getservbyport_r (port=36610, proto=0x805c720 "tcp", resbuf=0xbd5ffab8, buffer=0xbd5ff6b4 "kauth", buflen=1024, result=0xbd5ffab4) at ../nss/getXXbyYY_r.c:182
#6 0x8051a9b in serv_lookup (port=36610, proto=0x805c720 "tcp", buf=0xbd5ffb20 "", len=128) at iplog_util.c:163
#7 0x804ca3e in get_ident_data (data=0x80722e8) at iplog_ident.c:84
#8 0x40020ca2 in pthread_start_thread (arg=0xbd5ffe40) at manager.c:241
(gdb) p *intern
$14 = {start = 0xbd7ffe88, next = 0x0}
(gdb) p *intern->start
$15 = {val = 0x2 <Address 0x2 out of bounds>, next = 0xbd7ffe90}
(gdb) p *intern->start->next
$16 = {val = 0x0, next = 0x0}
----------------
As you can see, intern->next is NULL when intern->next->next is being accessed.
>How-To-Repeat:
I can not repeat the crash under a controlled situations (the
iplogger logs similar situations without a crash). But almost
every night when I am starting my backup (the dump - program
automounts a NFS partition while doing this) it happens.
I have a lot of trouble with the kernel NFS of linux and it
creates a lot of RPC garbage:
Feb 4 04:32:40 kosh kernel: RPC: garbage, retrying 22229
Feb 4 04:32:40 kosh kernel: RPC: garbage, retrying 22229
Feb 4 04:32:40 kosh kernel: RPC: garbage, exit EIO
Feb 4 04:32:40 kosh kernel: RPC: garbage, retrying 22233
Feb 4 04:32:40 kosh kernel: RPC: garbage, retrying 22233
Feb 4 04:32:40 kosh kernel: RPC: garbage, exit EIO
But because intern->next is NULL I guess glibc doesn't handle an error
correctly.
>Fix:
>Audit-Trail:
>Unformatted: