Ticket #655 (new defect)
palm-sync fails with segfault in libpisock's pack_Address()
| Reported by: | mbanck | Owned by: | dgollub |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Plugin: palm | Version: | 0.38 |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by felixmoeller) (diff)
palm-sync fails with a segfault for me (Palm III, IR connection, other member is evo2-sync):
==8488== Thread 7:
==8488== Invalid read of size 4
==8488== at 0x46FB643: pack_Address (address.c:154)
==8488== by 0x50486D5: psyncContactCommit (palm_contact.c:268)
==8488== by 0x4078D04: osync_objtype_sink_commit_change (in /usr/lib/libopensync.so.1exp2.0.0)
==8488== by 0x404F124: (within /usr/lib/libopensync.so.1exp2.0.0)
==8488== by 0x404FE7C: (within /usr/lib/libopensync.so.1exp2.0.0)
==8488== by 0x406D1E2: (within /usr/lib/libopensync.so.1exp2.0.0)
==8488== by 0x40B61C5: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.1400.3)
==8488== by 0x40B9551: (within /usr/lib/libglib-2.0.so.0.1400.3)
==8488== by 0x40B9936: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.1400.3)
==8488== by 0x40D94FE: (within /usr/lib/libglib-2.0.so.0.1400.3)
==8488== by 0x44384FA: start_thread (in /lib/i686/cmov/libpthread-2.7.so)
==8488== by 0x421360D: clone (in /lib/i686/cmov/libc-2.7.so)
[...]
(gdb) bt full
#0 0x046fb64b in pack_Address (addr=0x7c0ffa8, buf=0x44cfcb8, type=address_v1) at address.c:154
l = <value optimized out>
destlen = 9
buffer = <value optimized out>
contents = 63
v = 0
phoneflag = <value optimized out>
offset = <value optimized out>
#1 0x050486d6 in psyncContactCommit (data=0x7a3aee0, info=0x7a3a118, ctx=0x45cf2c8, change=0x795e548)
at /build/mbanck/libopensync-plugin-palm-0.35/src/palm_contact.c:268
orig_entry = <value optimized out>
db = (PSyncDatabase *) 0x476bac8
contact = (PSyncContactEntry *) 0x7c0ffa8
error = (OSyncError *) 0x0
id = 0
__func__ = "psyncContactCommit"
#2 0x04078d05 in osync_objtype_sink_commit_change () from /usr/lib/libopensync.so.1exp2
No symbol table info available.
#3 0x0404f125 in ?? () from /usr/lib/libopensync.so.1exp2
No symbol table info available.
#4 0x07a42150 in ?? ()
[...]
(gdb) p addr
$5 = (const Address_t *) 0x7c0ffa8
(gdb) p *addr
$6 = {phoneLabel = {101450416, 108, 101385064, 127560608, 1}, showPhone = 26, entry = {0x19 <Address 0x19 out of bounds>, 0x18 <Address 0x18 out of bounds>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50 <Address 0x50 out of bounds>, 0x40 <Address 0x40 out of bounds>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x450add8 "", 0x4573510 "���\a��\\\0044
4
",
0x6090920 "���\a\001", 0x0,
0x7c10058 "ntact>\n <Revision>\n <Content>20071205T174558Z</Content>\n </Revision>\n <Uid>\n <Content>pas-id-4756E3D600000003</Content>\n </Uid>\n</contact>\n"}}
The last lines of the trace are (with some additional debugging added):
[1198682613.406026] >>>>>>> osync_objtype_sink_commit_change(0x807c808, 0x807ca08, 0x807c870, 0x810c1a8, 0x81c4e80) [1198682613.406081] >>>>>>> psyncContactCommit(0x807ca08, 0x807c870, 0x81c4e80, 0x810c1a8) [1198682613.406130] >>>>>>> psyncDBOpen(0x807ca08, AddressDB, 0xb49f4158) [1198682613.891823] <<<<<<< psyncDBOpen: 0x81ba698 [1198682613.891866] Find category [1198682613.891888] Adding new entry [1198682613.891908] contact: 0x81a75a0 address: 0x81a75a0
Seems like (at least to me) contact->address is bogus when passed to libpisock's pack_Address(), after a couple of iterations in the for loop of [pilot-link]/libpisock/address.c around line 154 a segfault happens.
Change History
Note: See
TracTickets for help on using
tickets.
Let's try this again:
==8488== Thread 7: ==8488== Invalid read of size 4 ==8488== at 0x46FB643: pack_Address (address.c:154) ==8488== by 0x50486D5: psyncContactCommit (palm_contact.c:268) ==8488== by 0x4078D04: osync_objtype_sink_commit_change (in /usr/lib/libopensync.so.1exp2.0.0) ==8488== by 0x404F124: (within /usr/lib/libopensync.so.1exp2.0.0) ==8488== by 0x404FE7C: (within /usr/lib/libopensync.so.1exp2.0.0) ==8488== by 0x406D1E2: (within /usr/lib/libopensync.so.1exp2.0.0) ==8488== by 0x40B61C5: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.1400.3) ==8488== by 0x40B9551: (within /usr/lib/libglib-2.0.so.0.1400.3) ==8488== by 0x40B9936: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.1400.3) ==8488== by 0x40D94FE: (within /usr/lib/libglib-2.0.so.0.1400.3) ==8488== by 0x44384FA: start_thread (in /lib/i686/cmov/libpthread-2.7.so) ==8488== by 0x421360D: clone (in /lib/i686/cmov/libc-2.7.so) [...] (gdb) bt full #0 0x046fb64b in pack_Address (addr=0x7c0ffa8, buf=0x44cfcb8, type=address_v1) at address.c:154 l = <value optimized out> destlen = 9 buffer = <value optimized out> contents = 63 v = 0 phoneflag = <value optimized out> offset = <value optimized out> #1 0x050486d6 in psyncContactCommit (data=0x7a3aee0, info=0x7a3a118, ctx=0x45cf2c8, change=0x795e548) at /build/mbanck/libopensync-plugin-palm-0.35/src/palm_contact.c:268 orig_entry = <value optimized out> db = (PSyncDatabase *) 0x476bac8 contact = (PSyncContactEntry *) 0x7c0ffa8 error = (OSyncError *) 0x0 id = 0 __func__ = "psyncContactCommit" #2 0x04078d05 in osync_objtype_sink_commit_change () from /usr/lib/libopensync.so.1exp2 No symbol table info available. #3 0x0404f125 in ?? () from /usr/lib/libopensync.so.1exp2 No symbol table info available. #4 0x07a42150 in ?? () [...] (gdb) p addr $5 = (const Address_t *) 0x7c0ffa8 (gdb) p *addr $6 = {phoneLabel = {101450416, 108, 101385064, 127560608, 1}, showPhone = 26, entry = {0x19 <Address 0x19 out of bounds>, 0x18 <Address 0x18 out of bounds>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x50 <Address 0x50 out of bounds>, 0x40 <Address 0x40 out of bounds>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x450add8 "", 0x4573510 "���\a��\\\0044 ", 0x6090920 "���\a\001", 0x0, 0x7c10058 "ntact>\n <Revision>\n <Content>20071205T174558Z</Content>\n </Revision>\n <Uid>\n <Content>pas-id-4756E3D600000003</Content>\n </Uid>\n</contact>\n"}}