memory clobbered in tor_snprintf?
My dir auths seg fault:
#0 0x00002b79edb335b0 in strlen () from /lib/libc.so.6 #1 0x00002b79edb054bc in vfprintf () from /lib/libc.so.6 #2 (closed) 0x00002b79edb2572a in vsnprintf () from /lib/libc.so.6 #3 (closed) 0x0000000000471d33 in tor_vsnprintf (str=0x7fffbd8f3ad0 "HTTP/1.0 200 ", size=4788951, format=0x7fffbd8f3a01 ":\217½ÿ\177", args=0x3) at compat.c:322 #4 (closed) 0x0000000000471dd1 in tor_snprintf (str=0x5 <Address 0x5 out of bounds>, size=4788951, format=0x7fffbd8f3a01 ":\217½ÿ\177") at compat.c:302 #5 (closed) 0x0000000000434863 in write_http_status_line (conn=0x95b930, status=3, reason_phrase=0x0) at directory.c:1458 #6 (closed) 0x0000000000436d49 in directory_handle_command (conn=0x95b930) at directory.c:1997 #7 (closed) 0x00000000004378d5 in connection_dir_process_inbuf (conn=0x5) at directory.c:1430 #8 (closed) 0x0000000000423d0b in connection_handle_read (conn=0x95b930) at connection.c:1597 #9 (closed) 0x0000000000447670 in conn_read_callback (fd=, event=, _conn=) at main.c:467 #10 (closed) 0x00002b79ed3e70e2 in event_base_loop () from /usr/lib/libevent-1.1a.so.1 #11 (closed) 0x00000000004472de in tor_main (argc=, argv=) at main.c:1349 #12 (closed) 0x00002b79edadd4ca in __libc_start_main () from /lib/libc.so.6 #13 (closed) 0x000000000040634a in _start () at ../sysdeps/x86_64/elf/start.S:113
(gdb) up #4 (closed) 0x0000000000471dd1 in tor_snprintf (str=0x5 <Address 0x5 out of bounds>, size=4788951, format=0x7fffbd8f3a01 ":\217½ÿ\177") at compat.c:302 302 r = tor_vsnprintf(str,size,format,ap); (gdb) up #5 (closed) 0x0000000000434863 in write_http_status_line (conn=0x95b930, status=3, reason_phrase=0x0) at directory.c:1458 1458 if (tor_snprintf(buf, sizeof(buf), "HTTP/1.0 %d %s\r\n\r\n", (gdb) up #6 (closed) 0x0000000000436d49 in directory_handle_command (conn=0x95b930) at directory.c:1997 1997 write_http_status_line(conn, 200, "Service descriptor stored");
If I set an assert inside write_http_status_line to make sure that reason_phrase is non-null, it always is. It's getting clobbered somewhere inside. Whenever this happens it always ends up with str=0x5 and status=3. So it's a deterministic clobbering, whatever it is.
I've gone hunting in a variety of places; I'll try to document them here as I remember and re-check them.
One hint: it happens in r10233, but not in r10100. (It's harder to test the ones in between because they trigger on the other bugs we were hunting.)
[Automatically added by flyspray2trac: Operating System: All]