memory clobbered in tor_snprintf?
My dir auths seg fault:
#0 0x00002b79edb335b0 in strlen () from /lib/libc.so.6 #1 0x00002b79edb054bc in vfprintf () from /lib/libc.so.6 legacy/trac#2 (closed) 0x00002b79edb2572a in vsnprintf () from /lib/libc.so.6 legacy/trac#3 (closed) 0x0000000000471d33 in tor_vsnprintf (str=0x7fffbd8f3ad0 "HTTP/1.0 200 ", size=4788951, format=0x7fffbd8f3a01 ":\217½ÿ\177", args=0x3) at compat.c:322 legacy/trac#4 (closed) 0x0000000000471dd1 in tor_snprintf (str=0x5 <Address 0x5 out of bounds>, size=4788951, format=0x7fffbd8f3a01 ":\217½ÿ\177") at compat.c:302 legacy/trac#5 (closed) 0x0000000000434863 in write_http_status_line (conn=0x95b930, status=3, reason_phrase=0x0) at directory.c:1458 legacy/trac#6 (closed) 0x0000000000436d49 in directory_handle_command (conn=0x95b930) at directory.c:1997 legacy/trac#7 (closed) 0x00000000004378d5 in connection_dir_process_inbuf (conn=0x5) at directory.c:1430 legacy/trac#8 (closed) 0x0000000000423d0b in connection_handle_read (conn=0x95b930) at connection.c:1597 legacy/trac#9 (closed) 0x0000000000447670 in conn_read_callback (fd=, event=, _conn=) at main.c:467 legacy/trac#10 (closed) 0x00002b79ed3e70e2 in event_base_loop () from /usr/lib/libevent-1.1a.so.1 legacy/trac#11 (closed) 0x00000000004472de in tor_main (argc=, argv=) at main.c:1349 legacy/trac#12 (closed) 0x00002b79edadd4ca in __libc_start_main () from /lib/libc.so.6 legacy/trac#13 (closed) 0x000000000040634a in _start () at ../sysdeps/x86_64/elf/start.S:113
(gdb) up legacy/trac#4 (closed) 0x0000000000471dd1 in tor_snprintf (str=0x5 <Address 0x5 out of bounds>, size=4788951, format=0x7fffbd8f3a01 ":\217½ÿ\177") at compat.c:302 302 r = tor_vsnprintf(str,size,format,ap); (gdb) up legacy/trac#5 (closed) 0x0000000000434863 in write_http_status_line (conn=0x95b930, status=3, reason_phrase=0x0) at directory.c:1458 1458 if (tor_snprintf(buf, sizeof(buf), "HTTP/1.0 %d %s\r\n\r\n", (gdb) up legacy/trac#6 (closed) 0x0000000000436d49 in directory_handle_command (conn=0x95b930) at directory.c:1997 1997 write_http_status_line(conn, 200, "Service descriptor stored");
If I set an assert inside write_http_status_line to make sure that reason_phrase is non-null, it always is. It's getting clobbered somewhere inside. Whenever this happens it always ends up with str=0x5 and status=3. So it's a deterministic clobbering, whatever it is.
I've gone hunting in a variety of places; I'll try to document them here as I remember and re-check them.
One hint: it happens in r10233, but not in r10100. (It's harder to test the ones in between because they trigger on the other bugs we were hunting.)
[Automatically added by flyspray2trac: Operating System: All]