Control: tags 925577 + upstream patch
Dear Maintainer,
I tried to have a look at this crash and
could reproduce the issue.
It seems a pointer to the name-parameter value is queried
from libconfig9 and some lines later this pointer gets freed.
Unfortunately libconfig9 tries to free the pointer later too.
A valgrind run shows this quite nicely.
Attached patch makes a copy of the queried value that
could be safely freed later.
A package build with that patch does not crash.
Could not find a related issue in the upstream bug tracker.
Kind regards,
Bernhard
benutzer@debian:~$ valgrind shairport-sync
==8612== Memcheck, a memory error detector
==8612== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8612== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==8612== Command: shairport-sync
==8612==
fatal error: Could not establish a service on port 5000 -- program terminating.
Is another instance of Shairport Sync running on this device?
==8612== Invalid free() / delete / delete[] / realloc()
==8612== at 0x48369AB: free (vg_replace_malloc.c:530)
==8612== by 0x4F910C8: __config_setting_destroy (libconfig.c:472)
==8612== by 0x4F91070: __config_list_destroy (libconfig.c:502)
==8612== by 0x4F91070: __config_setting_destroy (libconfig.c:479)
==8612== by 0x4F91070: __config_list_destroy (libconfig.c:502)
==8612== by 0x4F91070: __config_setting_destroy (libconfig.c:479)
==8612== by 0x4F914E2: config_destroy (libconfig.c:743)
==8612== by 0x1114F4: exit_function (shairport.c:1067)
==8612== by 0x5736E9B: __run_exit_handlers (exit.c:108)
==8612== by 0x5736FC9: exit (exit.c:139)
==8612== by 0x119118: die (common.c:124)
==8612== by 0x117C71: rtsp_listen_loop (rtsp.c:2099)
==8612== by 0x110CD3: main (shairport.c:1512)
==8612== Address 0x71c00b0 is 0 bytes inside a block of size 7 free'd
==8612== at 0x48369AB: free (vg_replace_malloc.c:530)
==8612== by 0x11253D: parse_options (shairport.c:967)
==8612== by 0x110D62: main (shairport.c:1221)
==8612== Block was alloc'd at
==8612== at 0x483577F: malloc (vg_replace_malloc.c:299)
==8612== by 0x5784FF9: strdup (strdup.c:42)
==8612== by 0x4F91C8A: config_setting_set_string (libconfig.c:1161)
==8612== by 0x4F95637: libconfig_yyparse (grammar.y:346)
==8612== by 0x4F9169C: __config_read (libconfig.c:597)
==8612== by 0x4F91847: config_read_file (libconfig.c:712)
==8612== by 0x11231C: parse_options (shairport.c:372)
==8612== by 0x110D62: main (shairport.c:1221)
>From a620d40987108349beae29f44fac0710e3643993 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= <bernha...@mailbox.org>
Date: Thu, 28 Mar 2019 14:06:26 +0100
Subject: [PATCH] Avoid double free by making a copy of the value received from
libconfig9.
https://bugs.debian.org/925577
---
shairport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shairport.c b/shairport.c
index 301838c..56a766b 100644
--- a/shairport.c
+++ b/shairport.c
@@ -374,7 +374,7 @@ int parse_options(int argc, char **argv) {
config.cfg = &config_file_stuff;
/* Get the Service Name. */
if (config_lookup_string(config.cfg, "general.name", &str)) {
- raw_service_name = (char *)str;
+ raw_service_name = strdup(str);
}
int daemonisewithout = 0;
int daemonisewith = 0;
--
2.20.1
# Buster amd64 qemu VM 2019-03-28
apt update
apt dist-upgrade
apt install systemd-coredump xserver-xorg lightdm openbox shairport-sync gdb
shairport-sync-dbgsym libconfig9-dbgsym valgrind devscripts dpkg-dev net-tools
apt build-dep shairport-sync
systemctl start lightdm
sed -i 's@//.*name = "%H";@ name = "Arcade";\n// name = "%H"@g'
/etc/shairport-sync.conf
mkdir /home/benutzer/source/shairport-sync/orig -p
cd /home/benutzer/source/shairport-sync/orig
apt source shairport-sync
cd
mkdir /home/benutzer/source/libconfig9/orig -p
cd /home/benutzer/source/libconfig9/orig
apt source libconfig9
cd
###########
benutzer@debian:~$ shairport-sync
fatal error: Could not establish a service on port 5000 -- program terminating.
Is another instance of Shairport Sync running on this device?
free(): double free detected in tcache 2
Abgebrochen (Speicherabzug geschrieben)
root@debian:~# coredumpctl list
TIME PID UID GID SIG COREFILE EXE
Thu 2019-03-28 13:24:22 CET 8268 1000 1000 6 present
/usr/bin/shairport-sync
root@debian:~# coredumpctl gdb 8268
PID: 8268 (shairport-sync)
UID: 1000 (benutzer)
GID: 1000 (benutzer)
Signal: 6 (ABRT)
Timestamp: Thu 2019-03-28 13:24:22 CET (1min 22s ago)
Command Line: shairport-sync
Executable: /usr/bin/shairport-sync
Control Group: /user.slice/user-1000.slice/session-5.scope
Unit: session-5.scope
Slice: user-1000.slice
Session: 5
Owner UID: 1000 (benutzer)
Boot ID: df1b25a2714f48f2bad5fbd1c7b68abd
Machine ID: 32f43b50ac8c4b21941bc0b02f8e7811
Hostname: debian
Storage:
/var/lib/systemd/coredump/core.shairport-sync.1000.df1b25a2714f48f2bad5fbd1c7b68abd.8268.1553775862000000.lz4
Message: Process 8268 (shairport-sync) of user 1000 dumped core.
Stack trace of thread 8268:
#0 0x00007f9a18e558bb raise (libc.so.6)
#1 0x00007f9a18e40535 abort (libc.so.6)
#2 0x00007f9a18e97778 n/a (libc.so.6)
#3 0x00007f9a18e9de6a n/a (libc.so.6)
#4 0x00007f9a18e9f94d n/a (libc.so.6)
#5 0x00007f9a195450c9 n/a (libconfig.so.9)
#6 0x00007f9a19545071 n/a (libconfig.so.9)
#7 0x00007f9a19545071 n/a (libconfig.so.9)
#8 0x00007f9a195454e3 config_destroy (libconfig.so.9)
#9 0x000055f4608f54f5 n/a (shairport-sync)
#10 0x00007f9a18e57e9c n/a (libc.so.6)
#11 0x00007f9a18e57fca exit (libc.so.6)
#12 0x000055f4608fd119 n/a (shairport-sync)
#13 0x000055f4608fbc72 n/a (shairport-sync)
#14 0x000055f4608f4cd4 main (shairport-sync)
#15 0x00007f9a18e4209b __libc_start_main (libc.so.6)
#16 0x000055f4608f52fa n/a (shairport-sync)
Stack trace of thread 8269:
#0 0x00007f9a1952100c pthread_cond_wait@@GLIBC_2.3.2
(libpthread.so.0)
#1 0x000055f4608f8a0b n/a (shairport-sync)
#2 0x000055f4608f90cb n/a (shairport-sync)
#3 0x00007f9a1951afa3 start_thread (libpthread.so.0)
#4 0x00007f9a18f1782f __clone (libc.so.6)
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/shairport-sync...(no debugging symbols
found)...done.
[New LWP 8268]
[New LWP 8269]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `shairport-sync'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht
gefunden.
[Current thread is 1 (Thread 0x7f9a17543400 (LWP 8268))]
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f9a18e40535 in __GI_abort () at abort.c:79
#2 0x00007f9a18e97778 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7f9a18fa228d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007f9a18e9de6a in malloc_printerr (str=str@entry=0x7f9a18fa3f58
"free(): double free detected in tcache 2") at malloc.c:5341
#4 0x00007f9a18e9f94d in _int_free (av=0x7f9a18fd9c40 <main_arena>,
p=0x55f46102aa40, have_lock=<optimized out>) at malloc.c:4193
#5 0x00007f9a195450c9 in ?? () from /usr/lib/x86_64-linux-gnu/libconfig.so.9
#6 0x00007f9a19545071 in ?? () from /usr/lib/x86_64-linux-gnu/libconfig.so.9
#7 0x00007f9a19545071 in ?? () from /usr/lib/x86_64-linux-gnu/libconfig.so.9
#8 0x00007f9a195454e3 in config_destroy () from
/usr/lib/x86_64-linux-gnu/libconfig.so.9
#9 0x000055f4608f54f5 in ?? ()
#10 0x00007f9a18e57e9c in __run_exit_handlers (status=1, listp=0x7f9a18fd9718
<__exit_funcs>, run_list_atexit=run_list_atexit@entry=true,
run_dtors=run_dtors@entry=true) at exit.c:108
#11 0x00007f9a18e57fca in __GI_exit (status=<optimized out>) at exit.c:139
#12 0x000055f4608fd119 in ?? ()
#13 0x000055f4608fbc72 in ?? ()
#14 0x000055f4608f4cd4 in main ()
Core was generated by `shairport-sync'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht
gefunden.
[Current thread is 1 (Thread 0x7f9a17543400 (LWP 8268))]
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f9a18e40535 in __GI_abort () at abort.c:79
#2 0x00007f9a18e97778 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7f9a18fa228d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007f9a18e9de6a in malloc_printerr (str=str@entry=0x7f9a18fa3f58
"free(): double free detected in tcache 2") at malloc.c:5341
#4 0x00007f9a18e9f94d in _int_free (av=0x7f9a18fd9c40 <main_arena>,
p=0x55f46102aa40, have_lock=<optimized out>) at malloc.c:4193
#5 0x00007f9a195450c9 in __config_setting_destroy (setting=0x55f46102a8b0) at
libconfig.c:472
#6 0x00007f9a19545071 in __config_list_destroy (list=0x55f46102a900) at
libconfig.c:502
#7 __config_setting_destroy (setting=0x55f46102a7b0) at libconfig.c:479
#8 0x00007f9a19545071 in __config_list_destroy (list=0x55f46102a800) at
libconfig.c:502
#9 __config_setting_destroy (setting=0x55f461025550) at libconfig.c:479
#10 0x00007f9a195454e3 in config_destroy (config=0x55f460927120
<config_file_stuff>) at libconfig.c:743
#11 0x000055f4608f54f5 in exit_function () at shairport.c:1067
#12 0x00007f9a18e57e9c in __run_exit_handlers (status=status@entry=1,
listp=0x7f9a18fd9718 <__exit_funcs>,
run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at
exit.c:108
#13 0x00007f9a18e57fca in __GI_exit (status=status@entry=1) at exit.c:139
#14 0x000055f4608fd119 in die (format=format@entry=0x55f460918a50 "Could not
establish a service on port %d -- program terminating. Is another instance of
Shairport Sync running on this device?") at common.c:124
#15 0x000055f4608fbc72 in rtsp_listen_loop () at rtsp.c:2099
#16 0x000055f4608f4cd4 in main (argc=1, argv=<optimized out>) at
shairport.c:1512
#############
benutzer@debian:~$ MALLOC_CHECK_=2 shairport-sync
fatal error: Could not establish a service on port 5000 -- program terminating.
Is another instance of Shairport Sync running on this device?
free(): invalid pointer
Abgebrochen (Speicherabzug geschrieben)
root@debian:~# coredumpctl list
TIME PID UID GID SIG COREFILE EXE
...
Thu 2019-03-28 13:28:29 CET 8488 1000 1000 6 present
/usr/bin/shairport-sync
root@debian:~# coredumpctl gdb 8488
PID: 8488 (shairport-sync)
UID: 1000 (benutzer)
GID: 1000 (benutzer)
Signal: 6 (ABRT)
Timestamp: Thu 2019-03-28 13:28:28 CET (46s ago)
Command Line: shairport-sync
Executable: /usr/bin/shairport-sync
Control Group: /user.slice/user-1000.slice/session-5.scope
Unit: session-5.scope
Slice: user-1000.slice
Session: 5
Owner UID: 1000 (benutzer)
Boot ID: df1b25a2714f48f2bad5fbd1c7b68abd
Machine ID: 32f43b50ac8c4b21941bc0b02f8e7811
Hostname: debian
Storage:
/var/lib/systemd/coredump/core.shairport-sync.1000.df1b25a2714f48f2bad5fbd1c7b68abd.8488.1553776108000000.lz4
Message: Process 8488 (shairport-sync) of user 1000 dumped core.
Stack trace of thread 8488:
#0 0x00007fc2eed0d8bb __GI_raise (libc.so.6)
#1 0x00007fc2eecf8535 __GI_abort (libc.so.6)
#2 0x00007fc2eed4f778 __libc_message (libc.so.6)
#3 0x00007fc2eed55e6a malloc_printerr (libc.so.6)
#4 0x00007fc2eed59d7e free_check (libc.so.6)
#5 0x00007fc2ef3fd0c9 __config_setting_destroy (libconfig.so.9)
#6 0x00007fc2ef3fd071 __config_list_destroy (libconfig.so.9)
#7 0x00007fc2ef3fd071 __config_list_destroy (libconfig.so.9)
#8 0x00007fc2ef3fd4e3 config_destroy (libconfig.so.9)
#9 0x00005610e34f94f5 exit_function (shairport-sync)
#10 0x00007fc2eed0fe9c __run_exit_handlers (libc.so.6)
#11 0x00007fc2eed0ffca __GI_exit (libc.so.6)
#12 0x00005610e3501119 die (shairport-sync)
#13 0x00005610e34ffc72 rtsp_listen_loop (shairport-sync)
#14 0x00005610e34f8cd4 main (shairport-sync)
#15 0x00007fc2eecfa09b __libc_start_main (libc.so.6)
#16 0x00005610e34f92fa _start (shairport-sync)
Stack trace of thread 8489:
#0 0x00007fc2ef3d900c futex_wait_cancelable (libpthread.so.0)
#1 0x00005610e34fca0b pc_queue_get_item (shairport-sync)
#2 0x00005610e34fd0cb metadata_thread_function (shairport-sync)
#3 0x00007fc2ef3d2fa3 start_thread (libpthread.so.0)
#4 0x00007fc2eedcf82f __clone (libc.so.6)
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/shairport-sync...Reading symbols from
/usr/lib/debug/.build-id/86/d37186a4a835b770dda51ed05557340210effe.debug...done.
done.
[New LWP 8488]
[New LWP 8489]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `shairport-sync'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht
gefunden.
[Current thread is 1 (Thread 0x7fc2ed3fb400 (LWP 8488))]
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007fc2eecf8535 in __GI_abort () at abort.c:79
#2 0x00007fc2eed4f778 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7fc2eee5a28d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007fc2eed55e6a in malloc_printerr (str=str@entry=0x7fc2eee5843b
"free(): invalid pointer") at malloc.c:5341
#4 0x00007fc2eed59d7e in free_check (mem=<optimized out>, caller=<optimized
out>) at hooks.c:254
#5 0x00007fc2ef3fd0c9 in __config_setting_destroy (setting=0x5610e373b360) at
libconfig.c:472
#6 0x00007fc2ef3fd071 in __config_list_destroy (list=0x5610e373b3d0) at
libconfig.c:502
#7 __config_setting_destroy (setting=0x5610e373b240) at libconfig.c:479
#8 0x00007fc2ef3fd071 in __config_list_destroy (list=0x5610e373b2b0) at
libconfig.c:502
#9 __config_setting_destroy (setting=0x5610e3734d30) at libconfig.c:479
#10 0x00007fc2ef3fd4e3 in config_destroy (config=0x5610e352b120
<config_file_stuff>) at libconfig.c:743
#11 0x00005610e34f94f5 in exit_function () at shairport.c:1067
#12 0x00007fc2eed0fe9c in __run_exit_handlers (status=status@entry=1,
listp=0x7fc2eee91718 <__exit_funcs>,
run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at
exit.c:108
#13 0x00007fc2eed0ffca in __GI_exit (status=status@entry=1) at exit.c:139
#14 0x00005610e3501119 in die (format=format@entry=0x5610e351ca50 "Could not
establish a service on port %d -- program terminating. Is another instance of
Shairport Sync running on this device?") at common.c:124
#15 0x00005610e34ffc72 in rtsp_listen_loop () at rtsp.c:2099
#16 0x00005610e34f8cd4 in main (argc=1, argv=<optimized out>) at
shairport.c:1512
###############
benutzer@debian:~$ valgrind shairport-sync
==8612== Memcheck, a memory error detector
==8612== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8612== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==8612== Command: shairport-sync
==8612==
fatal error: Could not establish a service on port 5000 -- program terminating.
Is another instance of Shairport Sync running on this device?
==8612== Invalid free() / delete / delete[] / realloc()
==8612== at 0x48369AB: free (vg_replace_malloc.c:530)
==8612== by 0x4F910C8: __config_setting_destroy (libconfig.c:472)
==8612== by 0x4F91070: __config_list_destroy (libconfig.c:502)
==8612== by 0x4F91070: __config_setting_destroy (libconfig.c:479)
==8612== by 0x4F91070: __config_list_destroy (libconfig.c:502)
==8612== by 0x4F91070: __config_setting_destroy (libconfig.c:479)
==8612== by 0x4F914E2: config_destroy (libconfig.c:743)
==8612== by 0x1114F4: exit_function (shairport.c:1067)
==8612== by 0x5736E9B: __run_exit_handlers (exit.c:108)
==8612== by 0x5736FC9: exit (exit.c:139)
==8612== by 0x119118: die (common.c:124)
==8612== by 0x117C71: rtsp_listen_loop (rtsp.c:2099)
==8612== by 0x110CD3: main (shairport.c:1512)
==8612== Address 0x71c00b0 is 0 bytes inside a block of size 7 free'd
==8612== at 0x48369AB: free (vg_replace_malloc.c:530)
==8612== by 0x11253D: parse_options (shairport.c:967)
==8612== by 0x110D62: main (shairport.c:1221)
==8612== Block was alloc'd at
==8612== at 0x483577F: malloc (vg_replace_malloc.c:299)
==8612== by 0x5784FF9: strdup (strdup.c:42)
==8612== by 0x4F91C8A: config_setting_set_string (libconfig.c:1161)
==8612== by 0x4F95637: libconfig_yyparse (grammar.y:346)
==8612== by 0x4F9169C: __config_read (libconfig.c:597)
==8612== by 0x4F91847: config_read_file (libconfig.c:712)
==8612== by 0x11231C: parse_options (shairport.c:372)
==8612== by 0x110D62: main (shairport.c:1221)
==8612==
==8612==
==8612== HEAP SUMMARY:
==8612== in use at exit: 8,470 bytes in 6 blocks
==8612== total heap usage: 73 allocs, 68 frees, 153,828 bytes allocated
==8612==
==8612== LEAK SUMMARY:
==8612== definitely lost: 0 bytes in 0 blocks
==8612== indirectly lost: 0 bytes in 0 blocks
==8612== possibly lost: 352 bytes in 1 blocks
==8612== still reachable: 8,118 bytes in 5 blocks
==8612== suppressed: 0 bytes in 0 blocks
==8612== Rerun with --leak-check=full to see details of leaked memory
==8612==
==8612== For counts of detected and suppressed errors, rerun with: -v
==8612== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
#############
benutzer@debian:~$ gdb -q \
> -ex 'set width 0' \
> -ex 'set pagination off' \
> -ex 'directory
> /home/benutzer/source/shairport-sync/orig/shairport-sync-3.2.2' \
> -ex 'directory /home/benutzer/source/libconfig9/orig/libconfig-1.5/lib' \
> -ex 'b shairport.c:967' \
> -ex 'run' \
> --args shairport-sync
Reading symbols from shairport-sync...Reading symbols from
/usr/lib/debug/.build-id/86/d37186a4a835b770dda51ed05557340210effe.debug...done.
done.
Source directories searched:
/home/benutzer/source/shairport-sync/orig/shairport-sync-3.2.2:$cdir:$cwd
Source directories searched:
/home/benutzer/source/libconfig9/orig/libconfig-1.5/lib:/home/benutzer/source/shairport-sync/orig/shairport-sync-3.2.2:$cdir:$cwd
Breakpoint 1 at 0xa539: file shairport.c, line 967.
Starting program: /usr/bin/shairport-sync
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, parse_options (argc=<optimized out>, argv=<optimized out>) at
shairport.c:967
warning: Source file is more recent than executable.
967 free(raw_service_name);
(gdb) print raw_service_name
$1 = 0x5555555b0a50 "Arcade"
(gdb) bt
#0 parse_options (argc=<optimized out>, argv=<optimized out>) at
shairport.c:967
#1 0x000055555555cd63 in main (argc=1, argv=0x7fffffffe5f8) at shairport.c:1221
(gdb) cont
Continuing.
[New Thread 0x7ffff5674700 (LWP 22120)]
fatal error: Could not establish a service on port 5000 -- program terminating.
Is another instance of Shairport Sync running on this device?
free(): double free detected in tcache 2
Thread 1 "shairport-sync" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht
gefunden.
(gdb) up
#1 0x00007ffff6f75535 in __GI_abort () at abort.c:79
79 abort.c: Datei oder Verzeichnis nicht gefunden.
(gdb)
#2 0x00007ffff6fcc778 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff70d728d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
181 ../sysdeps/posix/libc_fatal.c: Datei oder Verzeichnis nicht gefunden.
(gdb)
#3 0x00007ffff6fd2e6a in malloc_printerr (str=str@entry=0x7ffff70d8f58
"free(): double free detected in tcache 2") at malloc.c:5341
5341 malloc.c: Datei oder Verzeichnis nicht gefunden.
(gdb)
#4 0x00007ffff6fd494d in _int_free (av=0x7ffff710ec40 <main_arena>,
p=0x5555555b0a40, have_lock=<optimized out>) at malloc.c:4193
4193 in malloc.c
(gdb)
#5 0x00007ffff767a0c9 in __config_setting_destroy (setting=0x5555555b08b0) at
libconfig.c:472
472 _delete(setting->value.sval);
(gdb) print setting->value.sval
$2 = 0x5555555b0a50 "`\246ZUUU"
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff6f75535 in __GI_abort () at abort.c:79
#2 0x00007ffff6fcc778 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff70d728d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff6fd2e6a in malloc_printerr (str=str@entry=0x7ffff70d8f58
"free(): double free detected in tcache 2") at malloc.c:5341
#4 0x00007ffff6fd494d in _int_free (av=0x7ffff710ec40 <main_arena>,
p=0x5555555b0a40, have_lock=<optimized out>) at malloc.c:4193
#5 0x00007ffff767a0c9 in __config_setting_destroy (setting=0x5555555b08b0) at
libconfig.c:472
#6 0x00007ffff767a071 in __config_list_destroy (list=0x5555555b0900) at
libconfig.c:502
#7 __config_setting_destroy (setting=0x5555555b07b0) at libconfig.c:479
#8 0x00007ffff767a071 in __config_list_destroy (list=0x5555555b0800) at
libconfig.c:502
#9 __config_setting_destroy (setting=0x5555555ab550) at libconfig.c:479
#10 0x00007ffff767a4e3 in config_destroy (config=0x55555558f120
<config_file_stuff>) at libconfig.c:743
#11 0x000055555555d4f5 in exit_function () at shairport.c:1067
#12 0x00007ffff6f8ce9c in __run_exit_handlers (status=status@entry=1,
listp=0x7ffff710e718 <__exit_funcs>,
run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at
exit.c:108
#13 0x00007ffff6f8cfca in __GI_exit (status=status@entry=1) at exit.c:139
#14 0x0000555555565119 in die (format=format@entry=0x555555580a50 "Could not
establish a service on port %d -- program terminating. Is another instance of
Shairport Sync running on this device?") at common.c:124
#15 0x0000555555563c72 in rtsp_listen_loop () at rtsp.c:2099
#16 0x000055555555ccd4 in main (argc=1, argv=<optimized out>) at
shairport.c:1512
############
gdb -q \
-ex 'set width 0' \
-ex 'set pagination off' \
-ex 'directory
/home/benutzer/source/shairport-sync/orig/shairport-sync-3.2.2' \
-ex 'directory /home/benutzer/source/libconfig9/orig/libconfig-1.5/lib' \
-ex 'b shairport.c:967' \
-ex 'run' \
--args shairport-sync
(gdb) list shairport.c:226,994
226 int parse_options(int argc, char **argv) {
227 // there are potential memory leaks here -- it's called a second
time, previously allocated
228 // strings will dangle.
229 char *raw_service_name = NULL; /* Used to pick up the service name
before possibly expanding it */
...
238 struct poptOption optionsTable[] = {
...
250 {"name", 'a', POPT_ARG_STRING, &raw_service_name, 0, NULL, NULL},
...
366 char *config_file_real_path = realpath(config.configfile, NULL);
367 if (config_file_real_path == NULL) {
368 debug(2, "Can't resolve the configuration file \"%s\".",
config.configfile);
369 } else {
370 debug(2, "Looking for configuration file at full path \"%s\"",
config_file_real_path);
371 /* Read the file. If there is an error, report it and exit. */
372 if (config_read_file(&config_file_stuff, config_file_real_path)) {
373 // make config.cfg point to it
374 config.cfg = &config_file_stuff;
375 /* Get the Service Name. */
376 if (config_lookup_string(config.cfg, "general.name", &str)) {
377 raw_service_name = (char *)str;
378 }
...
956
957 /* if the Service Name wasn't specified, do it now */
958
959 if (raw_service_name == NULL)
960 raw_service_name = strdup("%H");
961
962 // now, do the substitutions in the service name
963 char hostname[100];
964 gethostname(hostname, 100);
965 char *i1 = str_replace(raw_service_name, "%h", hostname);
966 if (raw_service_name) {
967 free(raw_service_name);
968 raw_service_name = NULL;
969 }
970 if ((hostname[0] >= 'a') && (hostname[0] <= 'z'))
971 hostname[0] = hostname[0] - 0x20; // convert a lowercase first
letter into a capital letter
972 char *i2 = str_replace(i1, "%H", hostname);
973 char *i3 = str_replace(i2, "%v", PACKAGE_VERSION);
974 char *vs = get_version_string();
975 config.service_name = str_replace(i3, "%V", vs);
976 free(i1);
977 free(i2);
978 free(i3);
979 free(vs);
980
...
992
993 return optind + 1;
994 }
set width 0
set pagination off
directory /home/benutzer/source/shairport-sync/orig/shairport-sync-3.2.2
directory /home/benutzer/source/libconfig9/orig/libconfig-1.5/lib
bt
https://github.com/mikebrady/shairport-sync/blob/master/shairport.c#L377
https://github.com/mikebrady/shairport-sync/issues
#############
cd /home/benutzer/source/shairport-sync
cp orig try1 -a
cd try1/shairport-sync-3.2.2
git config user.name "..."
git config user.email "..."
git init
git add .
git commit -m "Initial commit"
# changes
git add shairport.c
git commit
git format-patch -o .. -1
dpkg-buildpackage -b
dpkg -i /home/benutzer/source/shairport-sync/try1/shairport-sync*.deb
benutzer@debian:~$ MALLOC_CHECK_=2 shairport-sync
fatal error: Could not establish a service on port 5000 -- program terminating.
Is another instance of Shairport Sync running on this device?
-> No crash.
