Bug#772563: librelp0: Segmentation fault when TCP keepalive is enable

[Rémi Palancher]

Le 08/12/2014 17:10, Remi Palancher a écrit :


The patch attached simply makes sure the relpTcp_t struct is well initialized
with relpTcpConstruct() before EnableKeepAlive() is called.


I should have checked before but this is fixed upstream with the same 
patch in commit 0ca7f807958e8365b2fd2f3fd833814c83594bdc.


Therefore it will be fixed with next upstream release of librelp (12.8 
or something).



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#772563: librelp0: Segmentation fault when TCP keepalive is enable

[Remi Palancher]

Package: librelp0
Version: 1.2.7-2
Severity: important
Tags: upstream patch

Dear Maintainer,

When TCP keepalive is enable in librelp0 and a new TCP connection is
initialized, it fails systematically with a segmentation fault. This is
particularly annoying when librelp0 is used through rsyslogd and its imrelp
plugin since it makes rsyslogd fail with a segmentation fault as soon as
clients with omrelp plugin try to connect to the server.

Here is the server side rsyslogd configuration excerpt to reproduce this bug:

  module(load="imrelp")
  input(type="imrelp" port="2514" KeepAlive="on")

After a rebuild of rsyslog and librelp without stripping, here is the backtrace
given by GDB when the SIGSEGV happens:

  $ gdb --args rsyslogd -n
  (gdb) r
  Starting program: /usr/sbin/rsyslogd -n
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  rsyslogd: warning: ~ action is deprecated, consider using the 'stop' 
statement instead [try http://www.rsyslog.com/e/2307 ]
  [New Thread 0x74990700 (LWP 25975)]
  [New Thread 0x7418f700 (LWP 25976)]
  [New Thread 0x7398e700 (LWP 25977)]
  [New Thread 0x7318d700 (LWP 25978)]
  
  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x7398e700 (LWP 25977)]
  EnableKeepAlive (sock=17, pSrv=0x6a45d0, pThis=0x0) at tcp.c:688
  688 tcp.c: Aucun fichier ou dossier de ce type.
  (gdb) bt
  #0  EnableKeepAlive (sock=17, pSrv=0x6a45d0, pThis=0x0) at tcp.c:688
  #1  relpTcpAcceptConnReq (ppThis=0x6af6b0, sock=sock@entry=10, 
pSrv=pSrv@entry=0x6a45d0) at tcp.c:717
  #2  0x757390f4 in relpSessAcceptAndConstruct 
(ppThis=ppThis@entry=0x7398d638, pSrv=pSrv@entry=0x6a45d0, 
sock=sock@entry=10) at relpsess.c:191
  #3  0x75737d57 in handleConnectionRequest (sock=10, pSrv=0x6a45d0, 
pThis=0x6a44e0) at relp.c:589
  #4  engineEventLoopRun (pThis=pThis@entry=0x6a44e0) at relp.c:770
  #5  0x757383c7 in relpEngineRun (pThis=0x6a44e0) at relp.c:950
  #6  0x759472c8 in ?? () from /usr/lib/rsyslog/imrelp.so
  #7  0x004560a5 in thrdStarter (arg=0x7fffec000a00) at ../threads.c:212
  #8  0x779b0b50 in start_thread () from 
/lib/x86_64-linux-gnu/libpthread.so.0
  #9  0x76ad57bd in clone () from /lib/x86_64-linux-gnu/libc.so.6
  #10 0x in ?? ()

The bug happens because the relpTcp_t * parameter of EnableKeepAlive(), named
pThis, is NULL when it is called by relpTcpAcceptConnReq(). Therefore the debug
print on line tcp.c:688 necessarily segfaults.

The patch attached simply makes sure the relpTcp_t struct is well initialized
with relpTcpConstruct() before EnableKeepAlive() is called.

-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages librelp0 depends on:
ii  libc6  2.19-13
ii  libgnutls-deb0-28  3.3.8-5
ii  multiarch-support  2.19-13

librelp0 recommends no packages.

librelp0 suggests no packages.

-- no debconf information
Description: avoid SIGSEGV when TCP keepalive is enable
 
 Result of a GDB debug session:
 
 $ gdb --args rsyslogd -n
 (gdb) r
 Starting program: /usr/sbin/rsyslogd -n
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 rsyslogd: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
 [New Thread 0x74990700 (LWP 25975)]
 [New Thread 0x7418f700 (LWP 25976)]
 [New Thread 0x7398e700 (LWP 25977)]
 [New Thread 0x7318d700 (LWP 25978)]
 
 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0x7398e700 (LWP 25977)]
 EnableKeepAlive (sock=17, pSrv=0x6a45d0, pThis=0x0) at tcp.c:688
 688 tcp.c: Aucun fichier ou dossier de ce type.
 (gdb) bt
 #0  EnableKeepAlive (sock=17, pSrv=0x6a45d0, pThis=0x0) at tcp.c:688
 #1  relpTcpAcceptConnReq (ppThis=0x6af6b0, sock=sock@entry=10, pSrv=pSrv@entry=0x6a45d0) at tcp.c:717
 #2  0x757390f4 in relpSessAcceptAndConstruct (ppThis=ppThis@entry=0x7398d638, pSrv=pSrv@entry=0x6a45d0, sock=sock@entry=10) at relpsess.c:191
 #3  0x75737d57 in handleConnectionRequest (sock=10, pSrv=0x6a45d0, pThis=0x6a44e0) at relp.c:589
 #4  engineEventLoopRun (pThis=pThis@entry=0x6a44e0) at relp.c:770
 #5  0x757383c7 in relpEngineRun (pThis=0x6a44e0) at relp.c:950
 #6  0x759472c8 in ?? () from /usr/lib/rsyslog/imrelp.so
 #7  0x004560a5 in thrdStarter (arg=0x7fffec000a00) at ../threads.c:212
 #8  0x779b0b50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
 #9  0x76ad57bd in clone () from /lib/x86_64-linux-gnu/libc.so.6
 #10 0x in ?? ()
 
 The bug