[sr #107775] GnuTLS 3.0.0 causes segfault

anonymous INVALID.NOREPLY at gnu.org
Mon Aug 22 09:56:44 CEST 2011 

Follow-up Comment #7, sr #107775 (project gnutls):

Hi,

I can reproduce this problem with mcabber. strace says:

connect(3, {sa_family=AF_INET, sin_port=htons(5223),
sin_addr=inet_addr("217.10.10.194")}, 16) = -1 EINPROGRESS (Operation now in
progress)
[...]
poll([{fd=3, events=POLLOUT}, {fd=0, events=POLLIN|POLLPRI}], 2, -1) = 1
([{fd=3, revents=POLLOUT}])
open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 5
[...]
writev(3, [{"263  2761  27233NQ373C370+25361334F 321y!6#5|1}34"..., 195}], 1)
= 195
recv(3, "2631 001", 5, 0)           = 5
recv(3, "2  -31NQ373C374211v347276y(r30222236v244K23321730535;372252264"...,
49, 0) = 49
recv(3, "263123b", 5, 0)            = 5
recv(3, "v 23^ 23[ 6 0502026 0102023351240321223 2673610r6t"..., 4962, 0) =
1389
recv(3,
"16214376217<|303}+W'1320A332256)241315h2325726031250|305366212365203352"...,
3573, 0) = 1448
recv(3,
"X>351224+221P20733326^3262143143671720fRN32026a345345nl27727307rF"..., 2125,
0) = 1448
recv(3, "crl046t`206H1206370B1104'26%http://www.c"..., 677, 0) = 677
recv(3, "2631 4", 5, 0)            = 5
recv(3, "16   ", 4, 0)              = 4
[...]
writev(3, [{"", 4294967269}, {"", 4294967269},
{"2631 360sI-31533262$5343222402345201332306210?303224215266252`|36R"...,
245}], 3) = -1 EINVAL (Invalid argument)
shutdown(3, SHUT_RDWR)                  = 0
close(3)                                = 0

The length argument to writev() is (unsigned int)-26.

Valgrind only has complaints about libidn (read of size 4 with offset 4 in an
allocation of size 7). This can't cause any corruption. Then comes the
writev():

==17779== Syscall param writev(vector[...]) points to unaddressable byte(s)
==17779==    at 0x43C1ADE: writev (in /lib/libc-2.14.so)
==17779==  Address 0x6dd6e67 is 0 bytes after a block of size 2,895 alloc'd
==17779==    at 0x4026416: calloc (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17779==    by 0x44F271F: ??? (in /usr/lib/libgnutls.so.28.0.1)
==17779==    by 0x44EE7CA: _gnutls_send_int (in /usr/lib/libgnutls.so.28.0.1)
==17779==    by 0x44F47E6: ??? (in /usr/lib/libgnutls.so.28.0.1)
==17779==    by 0x44F668C: ??? (in /usr/lib/libgnutls.so.28.0.1)
==17779==    by 0x44F6B2C: ??? (in /usr/lib/libgnutls.so.28.0.1)
==17779==    by 0x44F8C4F: ??? (in /usr/lib/libgnutls.so.28.0.1)
==17779==    by 0x44FA558: gnutls_handshake (in /usr/lib/libgnutls.so.28.0.1)
==17779==    by 0x4055427: ??? (in /usr/lib/libloudmouth-1.so.0.1.0)
==17779==    by 0x4056F70: ??? (in /usr/lib/libloudmouth-1.so.0.1.0)
==17779==    by 0x40576F8: ??? (in /usr/lib/libloudmouth-1.so.0.1.0)
==17779==    by 0x40580D7: ??? (in /usr/lib/libloudmouth-1.so.0.1.0)

All the packages used are archlinux x86 stock ones. I'd be happy about any
hints on how I can debug this further.

P.S.: How do I attach files?

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107775>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

More information about the Gnutls-devel mailing list