URL: <https://savannah.gnu.org/bugs/?61277>
Summary: wget crashes when downloading from redirect to ftp Project: GNU Wget Submitted by: formaiko Submitted on: Mon 04 Oct 2021 11:55:20 AM UTC Category: Crash/Freeze/Infloop Severity: 3 - Normal Priority: 5 - Normal Status: None Privacy: Public Assigned to: None Originator Name: Michal Ruprich Originator Email: Open/Closed: Open Release: None Discussion Lock: Any Operating System: GNU/Linux Reproducibility: Every Time Fixed Release: None Planned Release: None Regression: No Work Required: None Patch Included: No _______________________________________________________ Details: When downloading multiple files from http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/ wget-1.21.1 on Fedora crashes with a segfault: # wget -c http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc1.iso http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso --2021-10-04 07:36:51-- http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc1.iso Resolving archive.download.redhat.com (archive.download.redhat.com)... 10.4.204.83 Connecting to archive.download.redhat.com (archive.download.redhat.com)|10.4.204.83|:80... connected. HTTP request sent, awaiting response... 302 Found Location: ftp://legacy.redhat.com//pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc1.iso [following] --2021-10-04 07:36:52-- ftp://legacy.redhat.com//pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc1.iso => ‘valhalla-i386-disc1.iso’ Resolving legacy.redhat.com (legacy.redhat.com)... 10.4.204.83 Connecting to legacy.redhat.com (legacy.redhat.com)|10.4.204.83|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD (1) /pub/redhat/linux/7.3/en/iso/i386 ... done. ==> SIZE valhalla-i386-disc1.iso ... 668499968 ==> PASV ... done. ==> RETR valhalla-i386-disc1.iso ... done. Length: 668499968 (638M) (unauthoritative) valhalla-i386-disc1.iso 100%[================================================>] 637.53M 44.8MB/s in 18s 2021-10-04 07:37:10 (36.3 MB/s) - ‘valhalla-i386-disc1.iso’ saved [668499968] --2021-10-04 07:37:10-- http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso Connecting to archive.download.redhat.com (archive.download.redhat.com)|10.4.204.83|:80... connected. HTTP request sent, awaiting response... 302 Found Location: ftp://legacy.redhat.com//pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso [following] --2021-10-04 07:37:10-- ftp://legacy.redhat.com//pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso => ‘valhalla-i386-disc2.iso’ Connecting to legacy.redhat.com (legacy.redhat.com)|10.4.204.83|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD (1) /pub/redhat/linux/7.3/en/iso/i386 ... done. ==> SIZE valhalla-i386-disc2.iso ... 669319168 ==> PASV ... done. ==> RETR valhalla-i386-disc2.iso ... done. Length: 669319168 (638M) (unauthoritative) valhalla-i386-disc2.iso 100%[================================================>] 638.31M 31.1MB/s in 25s 2021-10-04 07:37:36 (25.4 MB/s) - ‘valhalla-i386-disc2.iso’ saved [669319168] Segmentation fault (core dumped) Both files are downloaded fine but after the second file, the crash occurs: #0 0x0000000559aef3e9 in ?? () #1 0x0000559aef0a53dd in find_cell (key=0x559aef3ec4f0, ht=0x559aef3e9d60) at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/hash.c:321 #2 hash_table_get_pair (value=<synthetic pointer>, orig_key=<synthetic pointer>, lookup_key=0x559aef3ec4f0, ht=0x559aef3e9d60) at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/hash.c:354 #3 register_download (file=0x559aef3ca430 "valhalla-i386-disc2.iso", url=<optimized out>) at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/convert.c:963 #4 retrieve_url (orig_parsed=0x559aef3f0460, origurl=0x7ffd0f0885b9 "http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso", file=0x7ffd0f0873f8, newloc=0x7ffd0f0873f0, refurl=<optimized out>, dt=0x7ffd0f0873e8, recursive=<optimized out>, iri=0x559aef3e9980, register_status=true) at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/retr.c:1149 #5 0x0000559aef07236d in main (argc=<optimized out>, argv=0x7ffd0f087668) at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/main.c:2167 Seems like the size in find_cell is off the limits. First file is ok: Breakpoint 1, find_cell (key=0x55555560d4f0, ht=0x55555560ad60) at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/hash.c:320 (gdb) p *ht $7 = {hash_function = 0x555555570b60 <hash_string>, test_function = 0x555555570d30 <cmp_string>, cells = 0x555555611380, size = 13, count = 0, resize_threshold = 9, prime_offset = 1} After the second file is downloaded: Breakpoint 1, find_cell (key=0x55555560d4f0, ht=0x55555560ad60) at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/hash.c:320 (gdb) p *ht $11 = {hash_function = 0x55555560a, test_function = 0x1bebe0b419b8155c, cells = 0x2e372f78756e696c, size = 1852124979, count = 1869834543, resize_threshold = 942893359, prime_offset = 658742} Not sure what happens there but I thought I would try to narrow it down by leaving out -c but at that case I get a totally different crash: # wget http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc1.iso http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso #0 __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:45 45 val = (INTERNAL_SYSCALL_ERROR_P (val) (gdb) bt #0 __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:45 #1 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at pthread_kill.c:62 #2 0x00007ffff7a446b6 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007ffff7a2e7d3 in __GI_abort () at abort.c:79 #4 0x00007ffff7a85a27 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7bc15f9 "%s\n") at ../sysdeps/posix/libc_fatal.c:155 #5 0x00007ffff7a9b74c in malloc_printerr (str=str@entry=0x7ffff7bc40f0 "free(): double free detected in tcache 2") at malloc.c:5543 #6 0x00007ffff7a9d67f in _int_free (av=0x7ffff7bfbaa0 <main_arena>, p=0x555555613220, have_lock=0) at malloc.c:4360 #7 0x00007ffff7a9fae5 in __GI___libc_free (mem=<optimized out>) at malloc.c:3278 #8 0x0000555555562406 in main (argc=<optimized out>, argv=0x7fffffffe288) at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/main.c:2179 At this point seems like something happens with the filename pointer whe leaving retrieve_url function. The xfree(filename) crashes because filename is nonsense: (gdb) f 8 #8 0x0000555555562406 in main (argc=<optimized out>, argv=0x7fffffffe288) at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/main.c:2179 2179 xfree (filename); (gdb) p filename $1 = 0x555555613230 "\023VUU\005" (gdb) p *filename $2 = 19 '\023' I was trying to follow the filename string through the retrieve_url function and even at the end the *file and *local_file point to the same string right before exiting the retrieve_url function: (gdb) p local_file $29 = 0x555555613230 "valhalla-i386-disc2.iso.1" ... 1162 *file = local_file ? local_file : NULL; (gdb) p file $31 = (char **) 0x7fffffffe018 (gdb) p *file $32 = 0x555555613230 "valhalla-i386-disc2.iso.1" If I try to download both files separately, no crash. I did not get further yet to narrow this down to anything but if anyone has any idea, I would really appreciate it. Thanks and regard, Michal _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/bugs/?61277> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/