[Gluster-devel] in dict.c, this gets replace by environment

Emmanuel Dreyfus manu at netbsd.org
Wed Aug 20 04:12:43 UTC 2014


Emmanuel Dreyfus <manu at netbsd.org> wrote:

> Using gdb and a watchpoint, I found the place where it gets overwritten.
> The bad news is that the only explanation for the overrun strdup is 
> a heap corruption (I checked the copied string was indeed nul-terminated)

I finally tracked it down, using plain old NetBSD built-in debug
features of malloc: just  ask libc to fill free()'ed memory with some
pattern, and suddenty a gdb watchpoint on the corrupted data reveals
what happens:

#0  0xbb3b1b7c in memset () from /usr/lib/libc.so.12
#1  0x00000080 in ?? ()
#2  0xbb35c85d in ?? () from /usr/lib/libc.so.12
#3  0xbb35ec2b in free () from /usr/lib/libc.so.12
#4  0xbb7998db in __gf_free (free_ptr=0xbb140618) at mem-pool.c:285
#5  0xbb799fd6 in mem_put (ptr=0xbb140628) at mem-pool.c:537
#6  0xbb75b23c in dict_destroy (this=0xbb140628) at dict.c:469
#7  0xbb75b2e1 in dict_unref (this=0xbb140628) at dict.c:492
#8  0x08050980 in cli_quotad_clnt_rpc_init () at cli.c:556
#9  0x08050ddf in main (argc=4, argv=0xbf7fec5c) at cli.c:705

This is just a use-after-free bug. Here is a proposed fix for review:
http://review.gluster.org/8502

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu at netbsd.org


More information about the Gluster-devel mailing list