-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Just noticed this when running valgrind on our experimental UnrealIRCd
version using c-ares.
This is c-ares version 1.3.0 (non-cvs).
I think it happened when I restarted my DNS server.
== Invalid read of size 4
== at 0x80A7C1C: next_server (ares_process.c:409)
== by 0x80A795D: process_timeouts (ares_process.c:302)
== by 0x80A7355: ares_process (ares_process.c:93)
== by 0x8057584: read_message (s_bsd.c:1786)
== by 0x8065AD8: main (ircd.c:1540)
== Address 0x1DFCFA2C is 52 bytes inside a block of size 56 free'd
== at 0x1B904B04: free (vg_replace_malloc.c:152)
== by 0x80A8407: end_query (ares_process.c:706)
== by 0x80A7C77: next_server (ares_process.c:418)
== by 0x80A7E64: ares__send_query (ares_process.c:471)
== by 0x80A7C18: next_server (ares_process.c:408)
== by 0x80A795D: process_timeouts (ares_process.c:302)
== by 0x80A7355: ares_process (ares_process.c:93)
== by 0x8057584: read_message (s_bsd.c:1786)
== by 0x8065AD8: main (ircd.c:1540)
==
== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- y
0x080a7c1c in next_server (channel=0x1bb500b8, query=0x1dfcf9f8,
now=1132177437) at ares_process.c:409
409 return (query->next);
(gdb) p query->next
$1 = (struct query *) 0x1dfc2de0
(gdb) list
404 for (; query->server < channel->nservers; query->server++)
405 {
406 if (!query->skip_server[query->server])
407 {
408 ares__send_query(channel, query, now);
409 return (query->next);
410 }
411 }
412 query->server = 0;
413
(gdb) p *query
$2 = {qid = 9223, timeout = 1132177437, tcpbuf = 0x1dfd5df8 "", tcplen =
45, qbuf = 0x1dfd5dfa "$\a\001", qlen = 43, callback = 0x80acaba
<qcallback>,
arg = 0x1dfb10b0, try = 2, server = 0, skip_server = 0x1dfcfa60,
using_tcp = 0, error_status = 12, next = 0x1dfc2de0}
(gdb) p *query->next
$3 = {qid = 9222, timeout = 1132177441, tcpbuf = 0x1dfc2e48 "", tcplen =
45, qbuf = 0x1dfc2e4a "$\006\001", qlen = 43, callback = 0x80acaba
<qcallback>,
arg = 0x1e08a128, try = 1, server = 0, skip_server = 0x1dfc4688,
using_tcp = 0, error_status = 12, next = 0x1dfbcad0}
Seems like the ares__send_query statement on line 408 freed 'query' and
then we try to return 'query->next' on line 409? Well I hope it's
something as simple as that ;).
I did not fully research it [if I would, I would also have provided a
patch ;)].
Hope it helps,
Bram.
- --
Bram Matthys
Software developer/IT consultant syzop@vulnscan.org
PGP key: www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D 1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
iD8DBQFDe6w44cPWX+btKqIRAvP2AJ9yVXBa83i6qZ8QH6VIXqtfCKYDhACfbH1s
NmFvuk1bqgLRnCk0xCfXbq0=
=Aehw
-----END PGP SIGNATURE-----
Received on Wed Nov 16 23:04:05 2005