intel / liblwm2m

liblwm2m is an implementation of the LWM2M protocol from the Open Mobile Alliance.
BSD 3-Clause "New" or "Revised" License
44 stars 28 forks source link

segfault #26

Closed jvermillard closed 10 years ago

jvermillard commented 10 years ago

When I run lwm2mclient vs leshan, I have this segfault:

± > valgrind ./lwm2mclient 18:47 ==27702== Memcheck, a memory error detector ==27702== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==27702== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==27702== Command: ./lwm2mclient ==27702==

18 bytes received from [::1]:5684 60 41 00 00 82 72 64 0A 67 6F 33 5A 6C 67 30 38 ` A . . . r d . g o 3 Z l g 0 8 4C 65 L e ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x80510A3: coap_merge_multi_option (er-coap-13.c:242) ==27702== by 0x8051E8A: coap_parse_message (er-coap-13.c:684) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Use of uninitialised value of size 4 ==27702== at 0x80510B5: coap_merge_multi_option (er-coap-13.c:245) ==27702== by 0x8051E8A: coap_parse_message (er-coap-13.c:684) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402E4B9: memmove (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x80510E5: coap_merge_multi_option (er-coap-13.c:249) ==27702== by 0x8051E8A: coap_parse_message (er-coap-13.c:684) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402E4C9: memmove (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x80510E5: coap_merge_multi_option (er-coap-13.c:249) ==27702== by 0x8051E8A: coap_parse_message (er-coap-13.c:684) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Use of uninitialised value of size 4 ==27702== at 0x402E4E9: memmove (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x80510E5: coap_merge_multi_option (er-coap-13.c:249) ==27702== by 0x8051E8A: coap_parse_message (er-coap-13.c:684) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x8051E90: coap_parse_message (er-coap-13.c:685) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402D4AC: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402D4B9: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402D4D2: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402D516: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402D5B0: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402D5C7: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402D5CB: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Use of uninitialised value of size 4 ==27702== at 0x402D5DA: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Use of uninitialised value of size 4 ==27702== at 0x402D5E2: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402D5E4: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402D5D2: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Conditional jump or move depends on uninitialised value(s) ==27702== at 0x402D5E9: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Use of uninitialised value of size 4 ==27702== at 0x402D608: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== ==27702== Invalid read of size 4 ==27702== at 0x402D608: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== Address 0x4050ffc is not stack'd, malloc'd or (recently) free'd ==27702== ==27702== ==27702== Process terminating with default action of signal 11 (SIGSEGV) ==27702== Access not within mapped region at address 0x4050FFC ==27702== at 0x402D608: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== If you believe this happened as a result of a stack ==27702== overflow in your program's main thread (unlikely but ==27702== possible), you can try to increase the size of the ==27702== main thread stack using the --main-stacksize= flag. ==27702== The main thread stack size used in this run was 8388608. ==27702== Jump to the invalid address stated on the next line ==27702== at 0x4793EFF: ??? ==27702== by 0x4050FFF: ??? ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== Address 0x4793eff is not stack'd, malloc'd or (recently) free'd ==27702== ==27702== ==27702== Process terminating with default action of signal 11 (SIGSEGV) ==27702== Access not within mapped region at address 0x4793EFF ==27702== at 0x4793EFF: ??? ==27702== by 0x4050FFF: ??? ==27702== by 0x8051EC4: coap_parse_message (er-coap-13.c:688) ==27702== by 0x804F539: lwm2m_handle_packet (packet.c:193) ==27702== by 0x804AEBE: main (lwm2mclient.c:536) ==27702== If you believe this happened as a result of a stack ==27702== overflow in your program's main thread (unlikely but ==27702== possible), you can try to increase the size of the ==27702== main thread stack using the --main-stacksize= flag. ==27702== The main thread stack size used in this run was 8388608. ==27702== ==27702== HEAP SUMMARY: ==27702== in use at exit: 67,441,392 bytes in 18 blocks ==27702== total heap usage: 22 allocs, 4 frees, 67,441,495 bytes allocated ==27702== ==27702== LEAK SUMMARY: ==27702== definitely lost: 60 bytes in 1 blocks ==27702== indirectly lost: 0 bytes in 0 blocks ==27702== possibly lost: 0 bytes in 0 blocks ==27702== still reachable: 67,441,332 bytes in 17 blocks ==27702== suppressed: 0 bytes in 0 blocks ==27702== Rerun with --leak-check=full to see details of leaked memory ==27702== ==27702== For counts of detected and suppressed errors, rerun with: -v ==27702== Use --track-origins=yes to see where uninitialised values come from ==27702== ERROR SUMMARY: 28 errors from 21 contexts (suppressed: 0 from 0) [1] 27702 segmentation fault valgrind ./lwm2mclient

dnav commented 10 years ago

Hi Julien,

Do you have the latest version of liblwm2m ? I ask because the offending memcpy in er-coap-13.c in on line 691 now. I fixed several potential segfault issues related to location_path recently.

Anyway, I'll rerun tests on my side.

jvermillard commented 10 years ago

I'm at this commit: commit 9f6389e70fc210f78b17b7e4135821e70f722f8c Author: dnav david.navarro@intel.com Date: Tue Apr 8 11:34:02 2014 +0200

Remove useless and potential buggy free
dnav commented 10 years ago

This is the right commit. It was me who was on an old one...

aradulovic commented 10 years ago

I've got similar segfault on first server response. Server was trying to send 9 bytes: [0x60 41 00 00 82 72 64 01]. Client entered in "coap_parse_message", case COAP_OPTION_LOCATION_PATH, and got segfault in "coap_merge_multi_option" call. I've resolved this by setting tmp_len and tmp_buf (from the case COAP_OPTION_LOCATION_PATH) to 0. tmp_len is checked for 0 inside "coap_merge_multi_option", but my compiler didn't initialize it to 0 by default.

dnav commented 10 years ago

Thank you for spotting this. I just pushed a commit to fix it.

(/me goes and changes his compiler default settings)