Ok, I did break my code out and my business problems are solved, but I'd like to help get the library fixed. I now have a little single threaded helper application that runs all the ospf stuff, checks a single domain passed on the command line, and exits. Only my helper app crashes now, so my main app is safe from heap corruption.
I've isolated the bug with valgrind. I see two off by 1 errors that are the source of the corruption. Both are below. Unfortunatly, I can't make heads or tails out of the code after a quick glance. Someone should mention to the author that a reference implementation is supposed to be simple, I think he's trying way to hard to make it much faster than it needs to be.
Maybe fixing this will become trivial for someone with more experience with the codebase. I also have full cores of this segmentation fault, so if you need to know any variable state or what not just let me know! My personal issue is resolved at this point, so I don't know if I'll take the time to read the library more thoroughly and see what's going on here, but if I do and I fix it I'll post a patch.
David
The SPF Request (Not actually from the core this run, the core is from a different run than the valgrind output, but hopefully same variables)
(gdb) print *spf_request
$1 = {spf_server = 0x804a160, client_ver = 2, ipv4 = {s_addr = 1354723032},
ipv6 = {in6_u = {u6_addr8 = '\0' <repeats 15 times>, u6_addr16 = {0, 0, 0,
0, 0, 0, 0, 0}, u6_addr32 = {0, 0, 0, 0}}},
env_from = 0x804a870 "ret@h37150.whoisyourbigtimecrush.com",
helo_dom = 0x804a728 "h37150.whoisyourbigtimecrush.com", rcpt_to_dom = 0x0,
use_local_policy = 0 '\0', use_helo = 0 '\0', env_from_lp = 0x804a8a0 "ret",
env_from_dp = 0x804a900 "h37150.whoisyourbigtimecrush.com",
client_dom = 0x0, cur_dom = 0x804a900 "h37150.whoisyourbigtimecrush.com",
max_var_len = 0}
First invalid write:
==30539== Invalid write of size 1
==30539== at 0x401BD48: memcpy (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x4064E74: SPF_dns_resolv_lookup (spf_dns_resolv.c:404)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x4063E71: SPF_dns_cache_lookup (spf_dns_cache.c:387)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x406B6FD: SPF_server_get_record (spf_server.c:275)
==30539== by 0x406A8AB: SPF_request_query_mailfrom (spf_request.c:253)
==30539== by 0x8048B45: main (spf-helper.c:83)
==30539== Address 0x41DB3BD is 0 bytes after a block of size 93 alloc'd
==30539== at 0x4019820: malloc (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x401B008: realloc (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x4065394: SPF_dns_rr_buf_realloc (spf_dns_rr.c:162)
==30539== by 0x4064E29: SPF_dns_resolv_lookup (spf_dns_resolv.c:394)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x4063E71: SPF_dns_cache_lookup (spf_dns_cache.c:387)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x406B6FD: SPF_server_get_record (spf_server.c:275)
==30539== by 0x406A8AB: SPF_request_query_mailfrom (spf_request.c:253)
==30539== by 0x8048B45: main (spf-helper.c:83)
Second write error (May be induced by the first of course:)
==30539== Invalid write of size 1
==30539== at 0x4064E9F: SPF_dns_resolv_lookup (spf_dns_resolv.c:409)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x4063E71: SPF_dns_cache_lookup (spf_dns_cache.c:387)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x406B6FD: SPF_server_get_record (spf_server.c:275)
==30539== by 0x406A8AB: SPF_request_query_mailfrom (spf_request.c:253)
==30539== by 0x8048B45: main (spf-helper.c:83)
==30539== Address 0x41DB3CA is 13 bytes after a block of size 93 alloc'd
==30539== at 0x4019820: malloc (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x401B008: realloc (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x4065394: SPF_dns_rr_buf_realloc (spf_dns_rr.c:162)
==30539== by 0x4064E29: SPF_dns_resolv_lookup (spf_dns_resolv.c:394)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x4063E71: SPF_dns_cache_lookup (spf_dns_cache.c:387)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x406B6FD: SPF_server_get_record (spf_server.c:275)
==30539== by 0x406A8AB: SPF_request_query_mailfrom (spf_request.c:253)
==30539== by 0x8048B45: main (spf-helper.c:83)
The free error that brings everything to it's knee's (Probably caused by the first off by one buffer overrun, as you can see, this valgrind run died in a different place than the cores usually do)
==30539== Invalid free() / delete / delete[]
==30539== at 0x401A5BE: free (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x4171582: (within /lib/libc-2.2.5.so)
==30539== by 0x40E7E73: __libc_freeres (in /lib/libc-2.2.5.so)
==30539== by 0x4015457: _vgnU_freeres (in /usr/local/lib/valgrind/x86-linux/vgpreload_core.so)
==30539== by 0x40A0B77: exit (in /lib/libc-2.2.5.so)
==30539== by 0x8048C40: main (spf-helper.c:118)
==30539== Address 0x4017C50 is not stack'd, malloc'd or (recently) free'd
-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=41761352-80465f
Powered by Listbox: http://www.listbox.com
I've isolated the bug with valgrind. I see two off by 1 errors that are the source of the corruption. Both are below. Unfortunatly, I can't make heads or tails out of the code after a quick glance. Someone should mention to the author that a reference implementation is supposed to be simple, I think he's trying way to hard to make it much faster than it needs to be.
Maybe fixing this will become trivial for someone with more experience with the codebase. I also have full cores of this segmentation fault, so if you need to know any variable state or what not just let me know! My personal issue is resolved at this point, so I don't know if I'll take the time to read the library more thoroughly and see what's going on here, but if I do and I fix it I'll post a patch.
David
The SPF Request (Not actually from the core this run, the core is from a different run than the valgrind output, but hopefully same variables)
(gdb) print *spf_request
$1 = {spf_server = 0x804a160, client_ver = 2, ipv4 = {s_addr = 1354723032},
ipv6 = {in6_u = {u6_addr8 = '\0' <repeats 15 times>, u6_addr16 = {0, 0, 0,
0, 0, 0, 0, 0}, u6_addr32 = {0, 0, 0, 0}}},
env_from = 0x804a870 "ret@h37150.whoisyourbigtimecrush.com",
helo_dom = 0x804a728 "h37150.whoisyourbigtimecrush.com", rcpt_to_dom = 0x0,
use_local_policy = 0 '\0', use_helo = 0 '\0', env_from_lp = 0x804a8a0 "ret",
env_from_dp = 0x804a900 "h37150.whoisyourbigtimecrush.com",
client_dom = 0x0, cur_dom = 0x804a900 "h37150.whoisyourbigtimecrush.com",
max_var_len = 0}
First invalid write:
==30539== Invalid write of size 1
==30539== at 0x401BD48: memcpy (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x4064E74: SPF_dns_resolv_lookup (spf_dns_resolv.c:404)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x4063E71: SPF_dns_cache_lookup (spf_dns_cache.c:387)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x406B6FD: SPF_server_get_record (spf_server.c:275)
==30539== by 0x406A8AB: SPF_request_query_mailfrom (spf_request.c:253)
==30539== by 0x8048B45: main (spf-helper.c:83)
==30539== Address 0x41DB3BD is 0 bytes after a block of size 93 alloc'd
==30539== at 0x4019820: malloc (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x401B008: realloc (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x4065394: SPF_dns_rr_buf_realloc (spf_dns_rr.c:162)
==30539== by 0x4064E29: SPF_dns_resolv_lookup (spf_dns_resolv.c:394)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x4063E71: SPF_dns_cache_lookup (spf_dns_cache.c:387)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x406B6FD: SPF_server_get_record (spf_server.c:275)
==30539== by 0x406A8AB: SPF_request_query_mailfrom (spf_request.c:253)
==30539== by 0x8048B45: main (spf-helper.c:83)
Second write error (May be induced by the first of course:)
==30539== Invalid write of size 1
==30539== at 0x4064E9F: SPF_dns_resolv_lookup (spf_dns_resolv.c:409)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x4063E71: SPF_dns_cache_lookup (spf_dns_cache.c:387)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x406B6FD: SPF_server_get_record (spf_server.c:275)
==30539== by 0x406A8AB: SPF_request_query_mailfrom (spf_request.c:253)
==30539== by 0x8048B45: main (spf-helper.c:83)
==30539== Address 0x41DB3CA is 13 bytes after a block of size 93 alloc'd
==30539== at 0x4019820: malloc (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x401B008: realloc (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x4065394: SPF_dns_rr_buf_realloc (spf_dns_rr.c:162)
==30539== by 0x4064E29: SPF_dns_resolv_lookup (spf_dns_resolv.c:394)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x4063E71: SPF_dns_cache_lookup (spf_dns_cache.c:387)
==30539== by 0x40637A2: SPF_dns_lookup (spf_dns.c:114)
==30539== by 0x406B6FD: SPF_server_get_record (spf_server.c:275)
==30539== by 0x406A8AB: SPF_request_query_mailfrom (spf_request.c:253)
==30539== by 0x8048B45: main (spf-helper.c:83)
The free error that brings everything to it's knee's (Probably caused by the first off by one buffer overrun, as you can see, this valgrind run died in a different place than the cores usually do)
==30539== Invalid free() / delete / delete[]
==30539== at 0x401A5BE: free (in /usr/local/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==30539== by 0x4171582: (within /lib/libc-2.2.5.so)
==30539== by 0x40E7E73: __libc_freeres (in /lib/libc-2.2.5.so)
==30539== by 0x4015457: _vgnU_freeres (in /usr/local/lib/valgrind/x86-linux/vgpreload_core.so)
==30539== by 0x40A0B77: exit (in /lib/libc-2.2.5.so)
==30539== by 0x8048C40: main (spf-helper.c:118)
==30539== Address 0x4017C50 is not stack'd, malloc'd or (recently) free'd
-------------------------------------------
-----------------------------------------------------------------------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311533&id_secret=41761352-80465f
Powered by Listbox: http://www.listbox.com