subject:"Bug#940230\: ircd\-hybrid\: use after free and crash"

Bug#940230: ircd-hybrid: use after free and crash

2019-09-15 Thread Dominic Hargreaves

Control: tags -1 + moreinfo

On Sat, Sep 14, 2019 at 11:54:53AM +0200, Julien Cristau wrote:
> Package: ircd-hybrid
> Version: 1:8.2.24+dfsg.1-1
> Severity: grave
> 
> Hi,
> 
> I just upgraded to buster and ircd keeps crashing.
> One case with a segfault in strcmp, other times with glibc aborts.

Does this happen with a default config file? If not, could you share your
configuration? (feel free to email it to me privately if you don't want
it to be public).

And although I suspect it's not the same problem, could you check whether
you have a dhparam.pem file created where your config file refers to it?
See 

Cheers,
Dominic.

Bug#940230: ircd-hybrid: use after free and crash

2019-09-14 Thread Julien Cristau

Package: ircd-hybrid
Version: 1:8.2.24+dfsg.1-1
Severity: grave

Hi,

I just upgraded to buster and ircd keeps crashing.
One case with a segfault in strcmp, other times with glibc aborts.

Running with valgrind shows:

==4562== Invalid read of size 8
==4562==at 0x127E10: dlinkDelete (list.c:125)
==4562==by 0x12C7FB: rem_request (res.c:107)
==4562==by 0x12C7FB: res_readreply (res.c:627)
==4562==by 0x12B706: comm_select (s_bsd_epoll.c:153)
==4562==by 0x11325B: io_loop (ircd.c:181)
==4562==by 0x11325B: main (ircd.c:491)
==4562==  Address 0xf82e610 is 16 bytes inside a block of size 472 free'd
==4562==at 0x48369AB: free (vg_replace_malloc.c:530)
==4562==by 0x12CBAA: rem_request (res.c:108)
==4562==by 0x12CBAA: delete_resolver_queries (res.c:230)
==4562==by 0x124610: fd_close (fdlist.c:127)
==4562==by 0x113653: auth_error (auth.c:235)
==4562==by 0x1139AD: auth_connect_callback (auth.c:415)
==4562==by 0x12C7EC: res_readreply (res.c:593)
==4562==by 0x12B706: comm_select (s_bsd_epoll.c:153)
==4562==by 0x11325B: io_loop (ircd.c:181)
==4562==by 0x11325B: main (ircd.c:491)
==4562==  Block was alloc'd at
==4562==at 0x4837B65: calloc (vg_replace_malloc.c:752)
==4562==by 0x1290E0: xcalloc (memory.c:39)
==4562==by 0x12BF33: make_request (res.c:117)
==4562==by 0x12C50A: do_query_name (res.c:321)
==4562==by 0x12EE86: comm_connect_tcp (s_bsd.c:408)
==4562==by 0x113D59: auth_start_query (auth.c:475)
==4562==by 0x113D59: auth_start (auth.c:500)
==4562==by 0x12B706: comm_select (s_bsd_epoll.c:153)
==4562==by 0x11325B: io_loop (ircd.c:181)
==4562==by 0x11325B: main (ircd.c:491)
==4562==
==4562== Invalid read of size 8
==4562==at 0x127E14: dlinkDelete (list.c:125)
==4562==by 0x12C7FB: rem_request (res.c:107)
==4562==by 0x12C7FB: res_readreply (res.c:627)
==4562==by 0x12B706: comm_select (s_bsd_epoll.c:153)
==4562==by 0x11325B: io_loop (ircd.c:181)
==4562==by 0x11325B: main (ircd.c:491)
==4562==  Address 0xf82e608 is 8 bytes inside a block of size 472 free'd
==4562==at 0x48369AB: free (vg_replace_malloc.c:530)
==4562==by 0x12CBAA: rem_request (res.c:108)
==4562==by 0x12CBAA: delete_resolver_queries (res.c:230)
==4562==by 0x124610: fd_close (fdlist.c:127)
==4562==by 0x113653: auth_error (auth.c:235)
==4562==by 0x1139AD: auth_connect_callback (auth.c:415)
==4562==by 0x12C7EC: res_readreply (res.c:593)
==4562==by 0x12B706: comm_select (s_bsd_epoll.c:153)
==4562==by 0x11325B: io_loop (ircd.c:181)
==4562==by 0x11325B: main (ircd.c:491)
==4562==  Block was alloc'd at
==4562==at 0x4837B65: calloc (vg_replace_malloc.c:752)
==4562==by 0x1290E0: xcalloc (memory.c:39)
==4562==by 0x12BF33: make_request (res.c:117)
==4562==by 0x12C50A: do_query_name (res.c:321)
==4562==by 0x12EE86: comm_connect_tcp (s_bsd.c:408)
==4562==by 0x113D59: auth_start_query (auth.c:475)
==4562==by 0x113D59: auth_start (auth.c:500)
==4562==by 0x12B706: comm_select (s_bsd_epoll.c:153)
==4562==by 0x11325B: io_loop (ircd.c:181)
==4562==by 0x11325B: main (ircd.c:491)
==4562==
==4562== Invalid write of size 8
==4562==at 0x127E2E: dlinkDelete (list.c:142)
==4562==by 0x12C7FB: rem_request (res.c:107)
==4562==by 0x12C7FB: res_readreply (res.c:627)
==4562==by 0x12B706: comm_select (s_bsd_epoll.c:153)
==4562==by 0x11325B: io_loop (ircd.c:181)
==4562==by 0x11325B: main (ircd.c:491)
==4562==  Address 0xf82e610 is 16 bytes inside a block of size 472 free'd
==4562==at 0x48369AB: free (vg_replace_malloc.c:530)
==4562==by 0x12CBAA: rem_request (res.c:108)
==4562==by 0x12CBAA: delete_resolver_queries (res.c:230)
==4562==by 0x124610: fd_close (fdlist.c:127)
==4562==by 0x113653: auth_error (auth.c:235)
==4562==by 0x1139AD: auth_connect_callback (auth.c:415)
==4562==by 0x12C7EC: res_readreply (res.c:593)
==4562==by 0x12B706: comm_select (s_bsd_epoll.c:153)
==4562==by 0x11325B: io_loop (ircd.c:181)
==4562==by 0x11325B: main (ircd.c:491)
==4562==  Block was alloc'd at
==4562==at 0x4837B65: calloc (vg_replace_malloc.c:752)
==4562==by 0x1290E0: xcalloc (memory.c:39)
==4562==by 0x12BF33: make_request (res.c:117)
==4562==by 0x12C50A: do_query_name (res.c:321)
==4562==by 0x12EE86: comm_connect_tcp (s_bsd.c:408)
==4562==by 0x113D59: auth_start_query (auth.c:475)
==4562==by 0x113D59: auth_start (auth.c:500)
==4562==by 0x12B706: comm_select (s_bsd_epoll.c:153)
==4562==by 0x11325B: io_loop (ircd.c:181)
==4562==by 0x11325B: main (ircd.c:491)
==4562==
==4562== Invalid write of size 8
==4562==at 0x127E36: dlinkDelete (list.c:143)
==4562==by 0x12C7FB: rem_request (res.c:107)
==4562==by 0x12C7FB: res_readreply (res.c:627)
==4562==by 0x12B706: comm_select (s_bsd_epoll.c:153)
==4562==by 0x11325B: io_loop (ircd.c:181)
==4562==by 0x11325B: main (ircd.c:491)
==4562==  Address

Bug#940230: ircd-hybrid: use after free and crash

Bug#940230: ircd-hybrid: use after free and crash

2 matches

Site Navigation

Mail list logo

Footer information