double free in certstack_destroy()?

[job]

Tested on OpenBSD 7.0.

Is the right type of list being used?

(gdb) run --tal=/home/job/source/rpkimancer/loopki/tals/TA.tal
Starting program: /usr/local/bin/fort --tal=/home/job/source/rpkimancer/loopki/tals/TA.tal
Error while reading shared library symbols:
Dwarf Error: wrong version in compilation unit header (is 4, should be 2) [in module /usr/libexec/ld.so]
Aug 30 18:00:16 INF: Disabling validation logging on syslog.
Aug 30 18:00:16 INF: Disabling validation logging on standard streams.
Aug 30 18:00:16 INF: Console log output configured; disabling operation logging on syslog.
Aug 30 18:00:16 INF: (Operation Logs will be sent to the standard streams only.)
Aug 30 18:00:16 WRN: First validation cycle has begun, wait until the next notification to connect your router(s)
[New process 7532]
fort(7532) in free(): chunk is already free 0xe416811bb0
Program received signal SIGABRT, Aborted.
[Switching to thread 502378]
thrkill () at /tmp/-:3
3       /tmp/-: No such file or directory.
        in /tmp/-
Current language:  auto; currently asm

(gdb) bt
#0  thrkill () at /tmp/-:3
#1  0x000000e3970eb08e in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
#2  0x000000e3970ba386 in wrterror (d=Variable "d" is not available.
) at /usr/src/lib/libc/stdlib/malloc.c:307
#3  0x000000e3970bdd1a in find_chunknum (d=Variable "d" is not available.
) at /usr/src/lib/libc/stdlib/malloc.c:1066
#4  0x000000e3970ba8e9 in ofree (argpool=0xe428639b00, p=0xe416811bb0, clear=0, check=Variable "check" is not available.
) at /usr/src/lib/libc/stdlib/malloc.c:1409
#5  0x000000e3970ba5cb in free (ptr=0xe416811bb0) at /usr/src/lib/libc/stdlib/malloc.c:1470
#6  0x000000e12bd1c5ed in certstack_destroy (stack=0xe4167f4ae0) at cert_stack.c:215
#7  0x000000e12bd26825 in validation_destroy (state=0xe416813c00) at state.c:156
#8  0x000000e12bd34b42 in handle_tal_uri (tal=Variable "tal" is not available.
) at object/tal.c:633
#9  0x000000e12bd347d6 in do_file_validation (thread_arg=Variable "thread_arg" is not available.
) at object/tal.c:643
#10 0x000000e12bd45c4b in tasks_poll (arg=0xe381c2bc00) at thread/thread_pool.c:224
#11 0x000000e40d93ec11 in _rthread_start (v=Unhandled dwarf expression opcode 0xa3
) at /usr/src/lib/librthread/rthread.c:96
#12 0x000000e3970ed7da in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84
#13 0x000000e3970ed7da in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84
Previous frame identical to this frame (corrupt stack?)

(gdb) up 6
#6  0x000000e12bd1c5ed in certstack_destroy (stack=0xe4167f4ae0) at cert_stack.c:215
215                     free(level);
Current language:  auto; currently minimal

(gdb) list
210
211             stack_size = 0;
212             while (!SLIST_EMPTY(&stack->levels)) {
213                     level = SLIST_FIRST(&stack->levels);
214                     SLIST_REMOVE_HEAD(&stack->levels, next);
215                     free(level);
216                     stack_size++;
217             }
218             pr_val_debug("Deleted %u stacked levels.", stack_size);

[ydahhrk]

Sorry; I'll force this into my schedule tomorrow.

Couldn't find the bug at a quick glance. Does this happen reliably? Any special pointers as to how to reproduce it? (Aside from OpenBSD 7)

[ydahhrk]

Never mind; I might have found it. BRB

[ydahhrk]

Is the right type of list being used?

Hmm. To be honest, I don't really get why this data structure was added in the first place. Seems like it could be merged with one of the adjacent lists. I'll investigate tomorrow, but regardless, there's a decent chance it will not crash anymore.

Code is at the issue55 branch. Feedback?

[job]

I don't see the double free with 33664f3f6a06e519a5abf8846ae4ceb615eaa7a3 applied. Looks good