Bug e possíveis problemas...

[Frederico Lamberti Pissarra]

Gente,

O amigo Kl0nEz detectou um sério erro na última versão em avaliação do T50 (5.5, no Github):

$ sudo ./t50 192.168.25.58 --protocol T50

T50 5.5 successfully launched at Jul 19th 2014 00:00:00

*** Error in `./t50': realloc(): invalid next size: 0x000000000110b070 ***

Esse erro ocorre na função ripv1() em modules/ripv1.c:

$ sudo gdb ./t50
(gdb) b ripv1.c:ripv1
Breakpoint 1 at 0x404b92: file src/modules/ripv1.c, line 45.
(gdb) r 127.0.0.1 --protocol T50
Starting program: /home/fred/Work/t50/release/t50 127.0.0.1 --protocol T50

T50 5.5 successfully launched at Jul 19th 2014 11:34:50

Breakpoint 1, ripv1 (co=0x614240 <co>, size=0x7fffffffe570) at src/modules/ripv1.c:45
47      greoptlen = gre_opt_len(co->gre.options, co->encapsulated);
(gdb) n
50                    sizeof(struct udphdr) +
(gdb) n
48      *size = sizeof(struct iphdr)  +
(gdb) n
54      alloc_packet(*size);
(gdb) p *size
$0 = 52
(gdb) s
alloc_packet (new_packet_size=52) at src/common.c:52
52      assert(new_packet_size != 0);
(gdb) p new_packet_size
$1 = 52
(gdb) n
54      if (new_packet_size > current_packet_size)
(gdb) p current_packet_size
$2 = 40
(gdb) n
56        if ((p = realloc(packet, new_packet_size)) == NULL)
(gdb) n
*** Error in `/home/fred/Work/t50/release/t50': realloc(): invalid next size: 0x0000000000616070 ***

Program received signal SIGABRT, Aborted.
0x00007ffff7a4af79 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7a4af79 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff7a4e388 in __GI_abort () at abort.c:89
#2  0x00007ffff7a881d4 in __libc_message (do_abort=do_abort@entry=1,
    fmt=fmt@entry=0x7ffff7b96a10 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7a92f37 in malloc_printerr (action=<optimized out>, str=0x7ffff7b92c07 "realloc(): invalid next size",
    ptr=<optimized out>) at malloc.c:4996
#4  0x00007ffff7a96777 in _int_realloc (av=<optimized out>, oldp=0x616060, oldsize=<optimized out>, nb=<optimized out>)
    at malloc.c:4234
#5  0x00007ffff7a97e09 in __GI___libc_realloc (oldmem=0x616070, bytes=52) at malloc.c:3029
#6  0x0000000000407bc6 in alloc_packet (new_packet_size=52) at src/common.c:56
#7  0x0000000000404bd2 in ripv1 (co=0x614240 <co>, size=0x7fffffffe570) at src/modules/ripv1.c:54
#8  0x00000000004080fd in main (argc=4, argv=0x7fffffffe6b8) at src/t50.c:144

Ainda não entendi o motivo, estou trabalhando nisso, mas vai demorar um cadinho...

Outra coisa são os erros em potencial detectados pelo valgrind:

$ sudo valgrind ./t50 127.0.0.1 --protocol T50
[sudo] password for fred:
==4421== Memcheck, a memory error detector
==4421== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4421== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==4421== Command: ./t50 127.0.0.1 --protocol T50
==4421==

T50 5.5 successfully launched at Jul 19th 2014 12:13:42
==4421== Conditional jump or move depends on uninitialised value(s)
==4421==    at 0x407CAA: cksum (cksum.c:37)
==4421==    by 0x4019C5: igmpv3 (igmpv3.c:107)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Conditional jump or move depends on uninitialised value(s)
==4421==    at 0x407CE3: cksum (cksum.c:47)
==4421==    by 0x4019C5: igmpv3 (igmpv3.c:107)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Conditional jump or move depends on uninitialised value(s)
==4421==    at 0x407D6D: cksum (cksum.c:72)
==4421==    by 0x4019C5: igmpv3 (igmpv3.c:107)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Conditional jump or move depends on uninitialised value(s)
==4421==    at 0x407D94: cksum (cksum.c:77)
==4421==    by 0x4019C5: igmpv3 (igmpv3.c:107)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==4421==    at 0x4F33493: __sendto_nocancel (syscall-template.S:81)
==4421==    by 0x4088E6: sendPacket (sock.c:119)
==4421==    by 0x408116: main (t50.c:145)
==4421==  Address 0x5215756 is 22 bytes inside a block of size 40 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x401656: igmpv3 (igmpv3.c:47)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 4
==4421==    at 0x403328: tcp (tcp.c:428)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x5215768 is 0 bytes after a block of size 40 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x401656: igmpv3 (igmpv3.c:47)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 4
==4421==    at 0x403349: tcp (tcp.c:429)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x521576c is 4 bytes after a block of size 40 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x401656: igmpv3 (igmpv3.c:47)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 1
==4421==    at 0x403350: tcp (tcp.c:430)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x5215770 is 8 bytes after a block of size 40 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x401656: igmpv3 (igmpv3.c:47)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 1
==4421==    at 0x403360: tcp (tcp.c:431)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x5215771 is 9 bytes after a block of size 40 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x401656: igmpv3 (igmpv3.c:47)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 2
==4421==    at 0x403375: tcp (tcp.c:432)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x5215772 is 10 bytes after a block of size 40 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x401656: igmpv3 (igmpv3.c:47)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid read of size 8
==4421==    at 0x407C93: cksum (cksum.c:35)
==4421==    by 0x4033A2: tcp (tcp.c:437)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x5215764 is 36 bytes inside a block of size 40 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x401656: igmpv3 (igmpv3.c:47)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 4
==4421==    at 0x404DA4: ripv1 (ripv1.c:111)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157e4 is 0 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 4
==4421==    at 0x404DC5: ripv1 (ripv1.c:112)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157e8 is 4 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 1
==4421==    at 0x404DCC: ripv1 (ripv1.c:113)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157ec is 8 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 1
==4421==    at 0x404DDC: ripv1 (ripv1.c:114)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157ed is 9 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 2
==4421==    at 0x404E06: ripv1 (ripv1.c:115)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157ee is 10 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid read of size 8
==4421==    at 0x407C93: cksum (cksum.c:35)
==4421==    by 0x404E3F: ripv1 (ripv1.c:118)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157e4 is 0 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid read of size 4
==4421==    at 0x407CD0: cksum (cksum.c:45)
==4421==    by 0x404E3F: ripv1 (ripv1.c:118)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157ec is 8 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 4
==4421==    at 0x4025BF: ripv2 (ripv2.c:245)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157e4 is 0 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 4
==4421==    at 0x4025E0: ripv2 (ripv2.c:246)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157e8 is 4 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 1
==4421==    at 0x4025E7: ripv2 (ripv2.c:247)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157ec is 8 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 1
==4421==    at 0x4025F7: ripv2 (ripv2.c:248)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157ed is 9 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid write of size 2
==4421==    at 0x402621: ripv2 (ripv2.c:249)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157ee is 10 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid read of size 8
==4421==    at 0x407C93: cksum (cksum.c:35)
==4421==    by 0x40264D: ripv2 (ripv2.c:258)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157e4 is 0 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==
==4421== Invalid read of size 4
==4421==    at 0x407CD0: cksum (cksum.c:45)
==4421==    by 0x40264D: ripv2 (ripv2.c:258)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==  Address 0x52157ec is 8 bytes after a block of size 52 alloc'd
==4421==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4421==    by 0x407BC5: alloc_packet (common.c:56)
==4421==    by 0x404BD1: ripv1 (ripv1.c:54)
==4421==    by 0x4080FC: main (t50.c:144)
==4421==

T50 5.5 successfully finished at Jul 19th 2014 12:13:42
==4421==
==4421== HEAP SUMMARY:
==4421==     in use at exit: 128 bytes in 1 blocks
==4421==   total heap usage: 632 allocs, 631 frees, 56,265 bytes allocated
==4421==
==4421== LEAK SUMMARY:
==4421==    definitely lost: 0 bytes in 0 blocks
==4421==    indirectly lost: 0 bytes in 0 blocks
==4421==      possibly lost: 0 bytes in 0 blocks
==4421==    still reachable: 128 bytes in 1 blocks
==4421==         suppressed: 0 bytes in 0 blocks
==4421== Rerun with --leak-check=full to see details of leaked memory
==4421==
==4421== For counts of detected and suppressed errors, rerun with: -v
==4421== Use --track-origins=yes to see where uninitialised values come from
==4421== ERROR SUMMARY: 26 errors from 25 contexts (suppressed: 0 from 0)

Digo "possíveis" problemas porque esses saltos condicionais com decisão sob uso de variáveis não inicializadas pode ser uma "otimização" do compilador... E ainda tem a questão do sendto(). Tenho que verificar...

[]s
Fred

[Fernando Mercês]

Fala Frederico,

Reproduzi o bug aqui. Tem alguma ideia de quando ele foi introduzido? De repente um trackback no git ajude a identificar a causa. ;-)

Abraço.

Att,

Fernando Mercês
Linux Registered User #432779
www.mentebinaria.com.br
------------------------------------
"Ninguém pode ser escravo de sua identidade; quando surge uma possibilidade de mudança é preciso mudar". (Elliot Gould)

--
--
To post to this group, send email to t50...@googlegroups.com
To join this group, go to: http://groups.google.com/group/t50-dev
To support this project, go to: http://t50.sourceforge.net/

---
Você recebeu essa mensagem porque está inscrito no grupo quot;T50 Experimental Mixed Packet Injector Development" dos Grupos do Google.
Para cancelar inscrição nesse grupo e parar de receber e-mails dele, envie um e-mail para t50-dev+u...@googlegroups.com.
Para mais opções, acesse https://groups.google.com/d/optout.

[Frederico Pissarra]

Tem tanto tempo que não mexo com esse bicho que eu não saberia localizar em que momento o bug foi introduzido... Adicionei alguns códigos para debugging no branch 'master' e achei o problema... dá uma sacada no github...

[[]]ão

Fred

[Fernando Mercês]

Show!

Att,

Fernando Mercês
Linux Registered User #432779
www.mentebinaria.com.br
------------------------------------
"Ninguém pode ser escravo de sua identidade; quando surge uma possibilidade de mudança é preciso mudar". (Elliot Gould)