On 12/11/2016 09:33, Brian Candler wrote:
So I sent a SIGABRT, here is the backtrace:
And here is some state from the core dump:
(gdb) print so
$1 = (struct socket *) 0x564b181fc940
(gdb) print *so
$2 = {so_next = 0x564b18258c60, so_prev = 0x564b181fcb00, canary1 =
-559038737, s = 28,
pollfds_idx = -1, slirp = 0x564b16293a70, so_m = 0x0, so_ti =
0x564b182d9070, so_urgc = 0, fhost = {
ss = {ss_family = 2,
__ss_padding =
"\fFd@\000\361\000\000\000\000\000\000\000\000^\000\000\000n", '\000'
<repeats 19 times>,
"\330|Ak\375\177\000\000\002\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\070|Ak\375\177\000\000\271\022\262\024KV\000\000\001\000\000\000\000\000\000\000\312\031\262\024KV\000\000\340|Ak\375\177\000\000\000\021\002?\323fZ\345\000\220-\030KV\000",
__ss_align = 94880472217585}, sin = {
sin_family = 2, sin_port = 17932, sin_addr = {s_addr = 4043325540},
sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family =
2, sin6_port = 17932,
sin6_flowinfo = 4043325540, sin6_addr = {__in6_u = {
__u6_addr8 =
"\000\000\000\000\000\000\000\000^\000\000\000n\000\000", __u6_addr16 =
{0, 0,
0, 0, 94, 0, 110, 0}, __u6_addr32 = {0, 0, 94, 110}}},
sin6_scope_id = 0}}, lhost = {
ss = {ss_family = 2,
__ss_padding =
"\231\246\n\000\002\017\000\000\000\000\000\000\000\000\320\t\032\030KV\000\000\000\021\002?\323fZ\345\214\304+\030KV\000\000\320\t\032\030KV\000\000\000\304+\030KV\000\000Y[\330\024KV\000\000\000|Ak\375\177\000\000\061\000\000\000KV\000\000\061\000\000\000KV\000\000\024\000\000\000\000\000\000\000E\000E\000\251\246\000@@\021{\355\n\000\002\017\n\000\002\003\000\000\000",
__ss_align = 313532612711}, sin = {sin_family = 2, sin_port =
42649, sin_addr = {
s_addr = 251789322}, sin_zero =
"\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2,
sin6_port = 42649, sin6_flowinfo = 251789322, sin6_addr =
{__in6_u = {
__u6_addr8 =
"\000\000\000\000\000\000\000\000\320\t\032\030KV\000", __u6_addr16 = {0, 0,
0, 0, 2512, 6170, 22091, 0}, __u6_addr32 = {0, 0,
404359632, 22091}}},
sin6_scope_id = 1057100032}}, so_iptos = 0 '\000', so_emu = 0
'\000', so_type = 0 '\000',
so_state = 1, so_tcpcb = 0x0, so_expire = 0, so_queued = 0,
so_nqueued = 0, so_rcv = {sb_cc = 0,
sb_datalen = 9000, sb_wptr = 0x564b162898c0 "\200u(\026KV",
sb_rptr = 0x564b162898c0 "\200u(\026KV", sb_data = 0x564b162898c0
"\200u(\026KV"}, so_snd = {
sb_cc = 0, sb_datalen = 9000,
sb_wptr = 0x564b162e8034
"/3\204|\244n\217;\257|\260nMshG\351\373\211w\205\241\252\364Z\343",
<incomplete sequence \307>,
sb_rptr = 0x564b162e8034
"/3\204|\244n\217;\257|\260nMshG\351\373\211w\205\241\252\364Z\343",
<incomplete sequence \307>, sb_data = 0x564b162e7cc0 "\260\230(\026KV"},
extra = 0x0,
---Type <return> to continue, or q <return> to quit---
canary2 = -1103113299}
(gdb) print so->slirp
$3 = (Slirp *) 0x564b16293a70
(gdb) print *(so->slirp)
$4 = {entry = {tqe_next = 0x0, tqe_prev = 0x564b154961a0
<slirp_instances>}, time_fasttimo = 0,
last_slowtimo = 549524, do_slowtimo = true, in_enabled = true,
in6_enabled = true, vnetwork_addr = {
s_addr = 131082}, vnetwork_mask = {s_addr = 16777215}, vhost_addr =
{s_addr = 33685514},
vprefix_addr6 = {__in6_u = {__u6_addr8 = "\376\300", '\000' <repeats
13 times>, __u6_addr16 = {
49406, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {49406, 0, 0, 0}}},
vprefix_len = 64 '@',
vhost_addr6 = {__in6_u = {__u6_addr8 = "\376\300", '\000' <repeats 13
times>, "\002",
__u6_addr16 = {49406, 0, 0, 0, 0, 0, 0, 512}, __u6_addr32 =
{49406, 0, 0, 33554432}}},
vdhcp_startaddr = {s_addr = 251789322}, vnameserver_addr = {s_addr =
50462730},
vnameserver_addr6 = {__in6_u = {__u6_addr8 = "\376\300", '\000'
<repeats 13 times>, "\003",
__u6_addr16 = {49406, 0, 0, 0, 0, 0, 0, 768}, __u6_addr32 =
{49406, 0, 0, 50331648}}},
client_ipaddr = {s_addr = 0}, client_hostname = '\000' <repeats 32
times>, restricted = 0,
exec_list = 0x0, m_freelist = {qh_link = 0x564b182c9600, qh_rlink =
0x564b182c9600}, m_usedlist = {
qh_link = 0x564b182d9000, qh_rlink = 0x564b182bfa00}, mbuf_alloced
= 11, if_fastq = {
qh_link = 0x564b16293b30, qh_rlink = 0x564b16293b30}, if_batchq =
{qh_link = 0x564b16293b40,
qh_rlink = 0x564b16293b40}, next_m = 0x564b16293b40, if_start_busy
= false, ipq = {frag_link = {
next = 0x0, prev = 0x0}, ip_link = {next = 0x564b16293b69, prev =
0x564b16293b69},
ipq_ttl = 0 '\000', ipq_p = 0 '\000', ipq_id = 0, ipq_src = {s_addr
= 0}, ipq_dst = {
s_addr = 0}}, ip_id = 2123, bootp_clients = {{allocated = 1,
macaddr = "RT\000\022\064V"}, {
allocated = 0, macaddr = "\000\000\000\000\000"} <repeats 15
times>}, bootp_filename = 0x0,
vdnssearch_len = 0, vdnssearch = 0x0, tcb = {so_next =
0x564b182be7c0, so_prev = 0x564b16295ce0,
canary1 = 0, s = 0, pollfds_idx = 0, slirp = 0x0, so_m = 0x0, so_ti
= 0x0, so_urgc = 0, fhost = {
ss = {ss_family = 0, __ss_padding = '\000' <repeats 117 times>,
__ss_align = 0}, sin = {
sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0},
sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family
= 0, sin6_port = 0,
sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000'
<repeats 15 times>,
__u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0,
0, 0, 0}}},
sin6_scope_id = 0}}, lhost = {ss = {ss_family = 0, __ss_padding
= '\000' <repeats 117 times>,
__ss_align = 0}, sin = {sin_family = 0, sin_port = 0, sin_addr
= {s_addr = 0},
sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family
= 0, sin6_port = 0,
sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000'
<repeats 15 times>,
__u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0,
0, 0, 0}}},
---Type <return> to continue, or q <return> to quit---
sin6_scope_id = 0}}, so_iptos = 0 '\000', so_emu = 0 '\000',
so_type = 0 '\000',
so_state = 0, so_tcpcb = 0x0, so_expire = 0, so_queued = 0,
so_nqueued = 0, so_rcv = {sb_cc = 0,
sb_datalen = 0, sb_wptr = 0x0, sb_rptr = 0x0, sb_data = 0x0},
so_snd = {sb_cc = 0,
sb_datalen = 0, sb_wptr = 0x0, sb_rptr = 0x0, sb_data = 0x0},
extra = 0x0, canary2 = 0},
tcp_last_so = 0x564b16293c20, tcp_iss = 1920001, tcp_now = 25, udb =
{so_next = 0x564b182be600,
so_prev = 0x564b182bdc00, canary1 = 0, s = 0, pollfds_idx = 0,
slirp = 0x0, so_m = 0x0,
so_ti = 0x0, so_urgc = 0, fhost = {ss = {ss_family = 0,
__ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin
= {sin_family = 0,
sin_port = 0, sin_addr = {s_addr = 0}, sin_zero =
"\000\000\000\000\000\000\000"}, sin6 = {
sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr =
{__in6_u = {
__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0,
0, 0, 0, 0, 0, 0, 0},
__u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, lhost =
{ss = {ss_family = 0,
__ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin
= {sin_family = 0,
sin_port = 0, sin_addr = {s_addr = 0}, sin_zero =
"\000\000\000\000\000\000\000"}, sin6 = {
sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr =
{__in6_u = {
__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0,
0, 0, 0, 0, 0, 0, 0},
__u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, so_iptos
= 0 '\000',
so_emu = 0 '\000', so_type = 0 '\000', so_state = 0, so_tcpcb =
0x0, so_expire = 0,
so_queued = 0, so_nqueued = 0, so_rcv = {sb_cc = 0, sb_datalen = 0,
sb_wptr = 0x0, sb_rptr = 0x0,
sb_data = 0x0}, so_snd = {sb_cc = 0, sb_datalen = 0, sb_wptr =
0x0, sb_rptr = 0x0,
sb_data = 0x0}, extra = 0x0, canary2 = 0}, udp_last_so =
0x564b182d7e00, icmp = {
so_next = 0x564b16293f98, so_prev = 0x564b16293f98, canary1 = 0, s
= 0, pollfds_idx = 0,
slirp = 0x0, so_m = 0x0, so_ti = 0x0, so_urgc = 0, fhost = {ss =
{ss_family = 0,
__ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin
= {sin_family = 0,
sin_port = 0, sin_addr = {s_addr = 0}, sin_zero =
"\000\000\000\000\000\000\000"}, sin6 = {
sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr =
{__in6_u = {
__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0,
0, 0, 0, 0, 0, 0, 0},
__u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, lhost =
{ss = {ss_family = 0,
__ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin
= {sin_family = 0,
sin_port = 0, sin_addr = {s_addr = 0}, sin_zero =
"\000\000\000\000\000\000\000"}, sin6 = {
sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr =
{__in6_u = {
---Type <return> to continue, or q <return> to quit---
__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0,
0, 0, 0, 0, 0, 0, 0},
__u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, so_iptos
= 0 '\000',
so_emu = 0 '\000', so_type = 0 '\000', so_state = 0, so_tcpcb =
0x0, so_expire = 0,
so_queued = 0, so_nqueued = 0, so_rcv = {sb_cc = 0, sb_datalen = 0,
sb_wptr = 0x0, sb_rptr = 0x0,
sb_data = 0x0}, so_snd = {sb_cc = 0, sb_datalen = 0, sb_wptr =
0x0, sb_rptr = 0x0,
sb_data = 0x0}, extra = 0x0, canary2 = 0}, icmp_last_so =
0x564b16293f98, tftp_prefix = 0x0,
tftp_sessions = {{slirp = 0x0, filename = 0x0, fd = 0, client_addr =
{ss_family = 0,
__ss_padding = '\000' <repeats 117 times>, __ss_align = 0},
client_port = 0, block_nr = 0,
timestamp = 0} <repeats 20 times>}, arp_table = {table = {{ar_hrd
= 0, ar_pro = 0,
ar_hln = 0 '\000', ar_pln = 0 '\000', ar_op = 0, ar_sha =
"RT\000\022\064V",
ar_sip = 251789322, ar_tha = "\000\000\000\000\000", ar_tip =
0}, {ar_hrd = 0, ar_pro = 0,
ar_hln = 0 '\000', ar_pln = 0 '\000', ar_op = 0, ar_sha =
"\000\000\000\000\000", ar_sip = 0,
ar_tha = "\000\000\000\000\000", ar_tip = 0} <repeats 15
times>}, next_victim = 1},
ndp_table = {table = {{eth_addr = "RT\000\022\064V", ip_addr =
{__in6_u = {
__u6_addr8 =
"\376\200\000\000\000\000\000\000PT\000\377\376\022\064V", __u6_addr16 = {
33022, 0, 0, 0, 21584, 65280, 4862, 22068}, __u6_addr32 =
{33022, 0, 4278211664,
1446253310}}}}, {eth_addr = "\000\000\000\000\000",
ip_addr = {__in6_u = {
__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0,
0, 0, 0, 0, 0, 0, 0},
__u6_addr32 = {0, 0, 0, 0}}}} <repeats 15 times>},
next_victim = 1},
grand = 0x564b162951c0, ra_timer = 0x564b162932d0, opaque =
0x564b16293840}
(gdb) print so->slirp->next_m
$5 = (struct mbuf *) 0x564b16293b40
(gdb) print *(so->slirp->next_m)
$6 = {m_next = 0x564b16293b40, m_prev = 0x564b16293b40, m_nextpkt =
0x564b16293b40, m_prevpkt = 0x0,
m_flags = 0, m_size = 0, m_so = 0x564b16293b6900,
m_data = 0x564b16293b6900 <error: Cannot access memory at address
0x564b16293b6900>, m_len = 0,
slirp = 0x84b000000000000, resolution_requested = true,
expiration_date = 0, m_ext = 0x0,
m_dat = 0x564b16293ba0 ""}
(gdb) print so->slirp->next_m->ifq_so
There is no member named ifq_so.
(gdb) print (so->slirp->next_m)->ifq_next
There is no member named ifq_next.
<< digs through code >> Ah OK, ifq_so and ifq_next are macros.
(gdb) print so->slirp->next_m->m_so
$8 = (struct socket *) 0x564b16293b6900
(gdb) print *(so->slirp->next_m->m_so)
Cannot access memory at address 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next
$9 = (struct mbuf *) 0x564b16293b40
(gdb) print *(so->slirp->next_m->m_next)
$10 = {m_next = 0x564b16293b40, m_prev = 0x564b16293b40, m_nextpkt =
0x564b16293b40, m_prevpkt = 0x0,
m_flags = 0, m_size = 0, m_so = 0x564b16293b6900,
m_data = 0x564b16293b6900 <error: Cannot access memory at address
0x564b16293b6900>, m_len = 0,
slirp = 0x84b000000000000, resolution_requested = true,
expiration_date = 0, m_ext = 0x0,
m_dat = 0x564b16293ba0 ""}
Looks corrupt if pointers are outside accessible areas.
(gdb) print so
$16 = (struct socket *) 0x564b181fc940
(gdb) print so->slirp->next_m->m_so
$17 = (struct socket *) 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next->m_so
$18 = (struct socket *) 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next->m_next->m_so
$19 = (struct socket *) 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next->m_next->m_next->m_so
$20 = (struct socket *) 0x564b16293b6900
(gdb)
There's the infinite loop.
Regards,
Brian.
