crash when exiting several subscribed session at the same time

[ntadas]

Hi,

I've a new crash when exiting several session at the same time (in this case 3). in the backtrace I have:

Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x4c7ff480 (LWP 2090)] 0x0f33a8a4 in nc_session_monitor_remove (litem=0x4aa330b1) at src/session.c:483 483 src/session.c: No such file or directory. (gdb) backtrace

0 0x0f33a8a4 in nc_session_monitor_remove (litem=0x4aa330b1) at src/session.c:483

1 0x0f33cf7c in nc_session_free (session=0x4be91b40) at src/session.c:1365

2 0x0fc75c64 in NetconfSession::~NetconfSession (this=0x1010ec08, __in_chrg=) at

... (gdb) frame 1 print litem->offset_prev $7 = 1331121664

still something is wrong with linked lists. I'll try to debug a little bit more the issue if I find something I'll update the post. (not sure maybe its an issue with the last session being deleted?)

[ntadas]

this crash still happens, even with the fix for #199

Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x4c7ff480 (LWP 2102)] 0x0f33a8a4 in nc_session_monitor_remove (litem=0x4aa33138) at src/session.c:483 483 src/session.c: No such file or directory. (gdb) backtrace

0 0x0f33a8a4 in nc_session_monitor_remove (litem=0x4aa33138) at src/session.c:483

1 0x0f33d0b0 in nc_session_free (session=0x4ac0c988) at src/session.c:1401

2 0x0fc75c64 in NetconfSession::~NetconfSession (this=0x100afc00,

...

(gdb) frame 1

1 0x0f33d0b0 in nc_session_free (session=0x4ac0c988) at src/session.c:1401

1401 in src/session.c (gdb) print aux->offset_next No symbol "aux" in current context. (gdb) frame 0

0 0x0f33a8a4 in nc_session_monitor_remove (litem=0x4aa33138) at src/session.c:483

483 in src/session.c (gdb) print aux->offset_next Cannot access memory at address 0xfb4be33c (gdb) print litem->offset_prev $1 = 1331121664

I'm still trying to understand the pattern for this to happen. but it has to do with deleting and creating some subscriptions.

[ntadas]

Found the issue :) While doing some debug and some code inspections I noticed the following:

• in session.c line 374 you are calculating the size of the session entry taking into account that size of the struct + username len + hostname len If the user name or hostname are not defined you add only 1 later on while populating the new session data you do the following:

  strcpy(litem->data, (session->username == NULL) ? "UNKNOWN" : session->username); strcpy(litem->data + 1 + strlen(litem->data), (session->hostname == NULL) ? "UNKNOWN" : session->hostname);

if hostname or username are null you write UNKNOWN but you only have allocated for the size 1 byte for each one. this will cause the overwrite of the following entry.

In my debug I notice that the crash only happens if I delete the first session and create it again and then try to delete the second session (in my target the hostname is not defined). Additionally if you look the litem->offset_prev in the previous post, it converts to hexa: 4f 57 4e 00 which in ascii matches OWN\0 (from UNKNOWN).

[rkrejci]

Good job! Please verify that the just commited patch really fixes the issue.