[Gluster-devel] in dict.c, this gets replace by environment
Emmanuel Dreyfus
manu at netbsd.org
Wed Aug 20 04:12:43 UTC 2014
Emmanuel Dreyfus <manu at netbsd.org> wrote:
> Using gdb and a watchpoint, I found the place where it gets overwritten.
> The bad news is that the only explanation for the overrun strdup is
> a heap corruption (I checked the copied string was indeed nul-terminated)
I finally tracked it down, using plain old NetBSD built-in debug
features of malloc: just ask libc to fill free()'ed memory with some
pattern, and suddenty a gdb watchpoint on the corrupted data reveals
what happens:
#0 0xbb3b1b7c in memset () from /usr/lib/libc.so.12
#1 0x00000080 in ?? ()
#2 0xbb35c85d in ?? () from /usr/lib/libc.so.12
#3 0xbb35ec2b in free () from /usr/lib/libc.so.12
#4 0xbb7998db in __gf_free (free_ptr=0xbb140618) at mem-pool.c:285
#5 0xbb799fd6 in mem_put (ptr=0xbb140628) at mem-pool.c:537
#6 0xbb75b23c in dict_destroy (this=0xbb140628) at dict.c:469
#7 0xbb75b2e1 in dict_unref (this=0xbb140628) at dict.c:492
#8 0x08050980 in cli_quotad_clnt_rpc_init () at cli.c:556
#9 0x08050ddf in main (argc=4, argv=0xbf7fec5c) at cli.c:705
This is just a use-after-free bug. Here is a proposed fix for review:
http://review.gluster.org/8502
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu at netbsd.org
More information about the Gluster-devel
mailing list