[Xorp-hackers] Xorp FEA crash

Ben Greear greearb at candelatech.com
Tue Jul 15 15:24:03 PDT 2008 

NOTE:  This is with my patches applied, so it could
be my fault.  But, it looks like it could be a generic
problem.

I'm getting a crash in io_ip_socket.cc while trying to
send a packet.  The crash is because cmsgp is NULL.

It looks like CMSG_NXTHDR can return NULL if there
is no more space available, so the code should probably
check for NULL and take evasive action....

	//
	// Set the TTL
	//
crash is here:
	cmsgp->cmsg_len = CMSG_LEN(sizeof(int));

	cmsgp->cmsg_level = IPPROTO_IPV6;
	cmsgp->cmsg_type = IPV6_HOPLIMIT;
	int_val = ip_ttl;
	embed_host_int(CMSG_DATA(cmsgp), int_val);
	cmsgp = CMSG_NXTHDR(&_sndmh, cmsgp);

Full backtrace:

#0  0x081358ec in IoIpSocket::send_packet (this=0x8478b40, if_name=@0x849f1c8, vif_name=@0x84a01a8,
     src_address=@0xbf8437d0, dst_address=@0xbf8437bc, ip_ttl=1, ip_tos=0, ip_router_alert=true,
     ip_internet_control=true, ext_headers_type=@0xbf84378c, ext_headers_payload=@0xbf843780,
     payload=@0x844b708, error_msg=@0xbf84170c) at io_ip_socket.cc:2529
#1  0x080a8a92 in IoIpComm::send_packet (this=0x8478ac0, if_name=@0x849f1c8, vif_name=@0x84a01a8,
     src_address=@0xbf8437d0, dst_address=@0xbf8437bc, ip_ttl=1, ip_tos=-1, ip_router_alert=true,
     ip_internet_control=true, ext_headers_type=@0xbf84378c, ext_headers_payload=@0xbf843780,
     payload=@0x844b708, error_msg=@0xbf843798) at io_ip_manager.cc:311
#2  0x080a8f8d in IoIpManager::send (this=0xbf84fec4, if_name=@0x849f1c8, vif_name=@0x84a01a8,
     src_address=@0xbf8437d0, dst_address=@0xbf8437bc, ip_protocol=58 ':', ip_ttl=1, ip_tos=-1,
     ip_router_alert=true, ip_internet_control=true, ext_headers_type=@0xbf84378c,
     ext_headers_payload=@0xbf843780, payload=@0x844b708, error_msg=@0xbf843798) at io_ip_manager.cc:851
#3  0x0805436a in XrlFeaTarget::raw_packet6_0_1_send (this=0xbf8508b8, if_name=@0x849f1c8,
     vif_name=@0x84a01a8, src_address=@0x84a22f0, dst_address=@0x849e0a0, ip_protocol=@0x8398344,
     ip_ttl=@0x849e8e4, ip_tos=@0x8398504, ip_router_alert=@0x849f1ec, ip_internet_control=@0x849f20c,
     ext_headers_type=@0x849e360, ext_headers_payload=@0x84a0348, payload=@0x844b708) at xrl_fea_target.cc:3388
#4  0x081adf23 in XrlFeaTargetBase::handle_raw_packet6_0_1_send (this=0xbf8508b8, xa_inputs=@0xbf8478ac)
     at fea_base.cc:4546
#5  0x081c5591 in XorpMemberCallback2B0<XrlCmdError const, XrlFeaTargetBase, XrlArgs const&, XrlArgs*>::dispatch (this=0x84313b8, a1=@0xbf8478ac, a2=0xbf847890) at ../../libxorp/callback_nodebug.hh:4615
#6  0x0826b0a9 in XrlCmdEntry::dispatch (this=0x843140c, inputs=@0xbf8478ac, outputs=0xbf847890)
     at xrl_cmd_map.hh:37
#7  0x08271b9e in XrlDispatcher::dispatch_xrl (this=0xbf84fa0c, method_name=@0xbf847820, inputs=@0xbf8478ac,
     outputs=@0xbf847890) at xrl_dispatcher.cc:60
#8  0x082561d5 in XrlRouter::dispatch_xrl (this=0xbf84fa0c, method_name=@0xbf8478a8, inputs=@0xbf8478ac,
     outputs=@0xbf847890) at xrl_router.cc:587
#9  0x0827a127 in STCPRequestHandler::dispatch_request (this=0x849f820, seqno=4, packed_xrl=0xb7c7d46e "?",
     packed_xrl_bytes=343) at xrl_pf_stcp.cc:239
#10 0x0827a7fd in STCPRequestHandler::read_event (this=0x849f820, ev=BufferedAsyncReader::DATA,
     buffer=0xb7c7d456 "STCP\001\001", buffer_bytes=367) at xrl_pf_stcp.cc:202
#11 0x0827be3c in XorpMemberCallback4B0<void, STCPRequestHandler, BufferedAsyncReader*, BufferedAsyncReader::Event, unsigned char*, unsigned int>::dispatch (this=0x849f6f8, a1=0x849f828, a2=BufferedAsyncReader::DATA,
     a3=0xb7c7d456 "STCP\001\001", a4=367) at ../libxorp/callback_nodebug.hh:8965
Missing separate debuginfos, use: debuginfo-install gcc.i386 glibc.i686 ncurses.i386 openssl.i686 zlib.i386
---Type <return> to continue, or q <return> to quit---
#12 0x082a0f3f in BufferedAsyncReader::announce_event (this=0x849f828, ev=BufferedAsyncReader::DATA)
     at buffered_asyncio.cc:251
#13 0x082a127e in BufferedAsyncReader::io_event (this=0x849f828, fd={_filedesc = 44}, type=IOT_READ)
     at buffered_asyncio.cc:204
#14 0x082a1b0e in XorpMemberCallback2B0<void, BufferedAsyncReader, XorpFd, IoEventType>::dispatch (
     this=0x84a1f60, a1={_filedesc = 44}, a2=IOT_READ) at ../libxorp/callback_nodebug.hh:4635
#15 0x082bdada in SelectorList::Node::run_hooks (this=0x84a0fb8, m=SEL_RD, fd={_filedesc = 44})
     at selector.cc:149
#16 0x082bc745 in SelectorList::wait_and_dispatch (this=0xbf850938, timeout=@0xbf84f99c) at selector.cc:435
#17 0x082a348e in EventLoop::run (this=0xbf8508fc) at eventloop.cc:97
#18 0x0804d222 in fea_main (finder_hostname=@0xbf850b20, finder_port=19999) at xorp_fea.cc:101
#19 0x0804d508 in main (argc=0, argv=0xbf850be8) at xorp_fea.cc:175
(gdb) frame 0
#0  0x081358ec in IoIpSocket::send_packet (this=0x8478b40, if_name=@0x849f1c8, vif_name=@0x84a01a8,
     src_address=@0xbf8437d0, dst_address=@0xbf8437bc, ip_ttl=1, ip_tos=0, ip_router_alert=true,
     ip_internet_control=true, ext_headers_type=@0xbf84378c, ext_headers_payload=@0xbf843780,
     payload=@0x844b708, error_msg=@0xbf84170c) at io_ip_socket.cc:2529
2529    in io_ip_socket.cc
(gdb) print smsgp
No symbol "smsgp" in current context.
(gdb) print cmsgp
$1 = (cmsghdr *) 0x0
(gdb)



-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

More information about the Xorp-hackers mailing list