[gftp] Re: Coredump during ssh filetransfer

[Brian Masney <masneyb@gftp.org>]

On Sat, Oct 25, 2003 at 02:06:44PM +0200, Oliver Lehmann wrote:
> Hi,
> 
> gftp coredumped when I try to transfer the output of a "cvs log <file> > file".
> the gftp 16pre0 Version was used. I also can share a Kernel-trace if you want.

I finally got my DEC alpha running FreeBSD 4.8 out of the closet today and I
was able to start looking at this. A temporary fix for this bug is in the
file lib/sshv2.c, in the function sshv2_put_next_file_chunk(), add a static
declaration for tempstr. So, it will become:

  static char tempstr[32768];

and that seems to "fix" it. From what I could tell, whenever the static
declaration was not there, it was segfaulting in a library outside of gftp.
When the segfault happens, part of the first argument (request) was copied
over.  In sshv2_send_command(), request has the value 0x8144400, but if I go
up a frame in gdb, it was the proper value of 0x8144600. The type, command
and len arguments always have random data. It seems like it's segfaulting in
setting up the call frame. I'll keep looking into this.

Brian


> olivleh1@kartoffel qmail-howto> gdb /usr/local/bin/gftp-gtk gftp-gtk.core 
> GNU gdb 4.18 (FreeBSD)
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-unknown-freebsd"...Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 2627 in elfstab_build_psymtabs
> Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf
> 
> Core was generated by `gftp-gtk'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/X11R6/lib/libgtk12.so.2...done.
> Reading symbols from /usr/X11R6/lib/libgdk12.so.2...done.
> Reading symbols from /usr/local/lib/libgmodule12.so.3...done.
> Reading symbols from /usr/local/lib/libglib12.so.3...done.
> Reading symbols from /usr/local/lib/compat/pkg/libintl.so.4...done.
> Reading symbols from /usr/X11R6/lib/libXext.so.6...done.
> Reading symbols from /usr/X11R6/lib/libX11.so.6...done.
> Reading symbols from /usr/lib/libm.so.2...done.
> Reading symbols from /usr/lib/libc_r.so.4...done.
> Reading symbols from /usr/lib/libutil.so.3...done.
> Reading symbols from /usr/local/lib/libgthread12.so.3...done.
> Reading symbols from /usr/lib/libc.so.4...done.
> Reading symbols from /usr/local/lib/compat/pkg/libintl.so.2...done.
> Reading symbols from /usr/local/lib/libiconv.so.3...done.
> Reading symbols from /usr/X11R6/lib/libXThrStub.so.6...done.
> Reading symbols from /usr/X11R6/lib/X11/locale/common/xlcDef.so.2...done.
> Reading symbols from /usr/X11R6/lib/X11/locale/common/ximcp.so.2...done.
> Reading symbols from /usr/X11R6/lib/gtk/themes/engines/libxfce.so...done.
> Reading symbols from /usr/libexec/ld-elf.so.1...done.
> #0  0x28395f92 in memcpy () from /usr/lib/libc_r.so.4
> (gdb) bt
> #0  0x28395f92 in memcpy () from /usr/lib/libc_r.so.4
> #1  0xbfafcfbc in ?? ()
> #2  0x807557f in sshv2_put_next_file_chunk (request=0x8144400, 
>     buf=0xbfafcfbc "\nRCS file: /usr/local/cvsroot/docs/qmail-howto/versions.ent,v\nWorking file: versions.ent\nhead: 1.45\nbranch:\nlocks: strict\naccess list:\nsymbolic names:\n\tv0_99: 1.38.0.2\n\tstart: 1.1.1.1\n\tolli: 1.1.1\nkey"..., size=8192) at sshv2.c:2189
> #3  0x80697de in gftp_put_next_file_chunk (request=0x8144400, 
>     buf=0xbfafcfbc "\nRCS file: /usr/local/cvsroot/docs/qmail-howto/versions.ent,v\nWorking file: versions.ent\nhead: 1.45\nbranch:\nlocks: strict\naccess list:\nsymbolic names:\n\tv0_99: 1.38.0.2\n\tstart: 1.1.1.1\n\tolli: 1.1.1\nkey"..., size=8192) at protocols.c:260
> #4  0x8060c1f in gftp_gtk_transfer_files (data=0x80a2900) at transfer.c:688
> #5  0x2832211c in _thread_start () from /usr/lib/libc_r.so.4
> #6  0x0 in ?? ()
> (gdb) up 2
> #2  0x807557f in sshv2_put_next_file_chunk (request=0x8144400, 
>     buf=0xbfafcfbc "\nRCS file: /usr/local/cvsroot/docs/qmail-howto/versions.ent,v\nWorking file: versions.ent\nhead: 1.45\nbranch:\nlocks: strict\naccess list:\nsymbolic names:\n\tv0_99: 1.38.0.2\n\tstart: 1.1.1.1\n\tolli: 1.1.1\nkey"..., size=8192) at sshv2.c:2189
> 2189      if (sshv2_send_command (request, SSH_FXP_WRITE, tempstr, params->handle_len + size + 12) < 0)
> (gdb) list
> 2184     
> 2185      num = htonl (size);
> 2186      memcpy (tempstr + params->handle_len + 8, &num, 4);
> 2187      memcpy (tempstr + params->handle_len + 12, buf, size);
> 2188      
> 2189      if (sshv2_send_command (request, SSH_FXP_WRITE, tempstr, params->handle_len + size + 12) < 0)
> 2190        {
> 2191          g_free (tempstr);
> 2192          return (GFTP_ERETRYABLE);
> 2193        }
> (gdb) print buf
> $1 = 0xbfaedffd ""
> (gdb) print size
> $2 = 8192
> (gdb) print num
> $3 = 8216
> (gdb) print params
> $4 = (sshv2_params *) 0xbfaf6514
> (gdb) print *params
> $5 = {
>   handle = " hints\n", '-' <repeats 28 times>, "\nrevision 1.15\ndate: 2002/02/07 16:13:40;  author: olivleh1;  state: Exp;  lines: +1 -2\nqmailadmin port is up-to-date.\nso remove the \"do it yourself\" compiling stuff\n", '-' <repeats 28 times>, "\nrevisi"..., handle_len = 976630048, dont_log_status = 0, message = {
>     length = 538983223, command = 97 'a', buffer = 0x203a726f <Address 0x203a726f out of bounds>, pos = 0x76696c6f <Address 0x76696c6f out of bounds>, 
>     end = 0x3168656c <Address 0x3168656c out of bounds>}, id = 1931485243, count = 1702125940, initialized = 0, offset = 7308895158385261424, 
>   read_buffer = 0x2b203a73 <Address 0x2b203a73 out of bounds>}
> (gdb)  print size
> $6 = 8192
> 
> 
> -- 
>  Oliver Lehmann
>         @home: lehmann@ans-netz.de
>       @office: oliver.lehmann@mgi.de
>          @www: http://www.pofo.de/  |  http://wishlist.ans-netz.de/