Bugginess since crypto changes

Scott Lamb slamb at slamb.org
Fri Jul 20 19:45:59 CEST 2007 

I'm looking over the tinc-1.1 branch again. I'm getting some errors that
I haven't been able to track down yet. tinc sometimes crashes either on
its own (I think after a timeout has fired?) or when I
hit ctrl-C. I've seen a few different behaviors in particular, as
reported by valgrind. Dumps below.

I suspected the bufferevent changes, but I haven't gotten any revision
before 1550 to crash. Looks like revisions 1546 and up started adding
new crypto code, but 1550 was the first to actually use it. 1550
definitely crashes.

How well-tested is this stuff? Have you seen crashes like this?

I'll keep looking for the problem. I'm working on {tincctl,control}.c
changes in another working copy, but I don't want to muddy the waters by
committing anything significant when there's still a crash going on.

crash 1:

==28913== Invalid read of size 8
==28913==    at 0x412150: list_unlink_node (list.c:97)
==28913==    by 0x412278: list_delete_node (list.c:111)
==28913==    by 0x407143: flush_queue (net_packet.c:451)
==28913==    by 0x40E2AE: ans_key_h (protocol_key.c:239)
==28913==    by 0x40BC58: receive_request (protocol.c:157)
==28913==    by 0x405B87: receive_meta (meta.c:138)
==28913==    by 0x406867: handle_meta_connection_data (net.c:225)
==28913==    by 0x4C0FAC0: event_base_loop (event.c:318)
==28913==    by 0x40601F: main_loop (net.c:374)
==28913==    by 0x411853: main (tincd.c:329)
==28913==  Address 0x9E8DE1BDD5EA3BE6 is not stack'd, malloc'd or
(recently) free'd

(The "Invalid read of size 8" is the "prev" pointer; this is on
Linux/x86_64.)

crash 2:

==931== Jump to the invalid address stated on the next line
==931==    at 0x771BBEEEFD5804F2: ???
==931==  Address 0x771BBEEEFD5804F2 is not stack'd, malloc'd or
(recently) free'd

crash 3:

==4264== Invalid read of size 4
==4264==    at 0x4C1BBAD: evsignal_process (signal.c:172)
==4264==    by 0x4C1B7C9: epoll_dispatch (epoll.c:201)
==4264==    by 0x4C0F97E: event_base_loop (event.c:427)
==4264==    by 0x40601F: main_loop (net.c:374)
==4264==    by 0x411853: main (tincd.c:329)
==4264==  Address 0x104CA62EC is not stack'd, malloc'd or (recently) free'd

Best regards,
Scott

-- 
Scott Lamb <http://www.slamb.org/>

More information about the tinc-devel mailing list