BusyBox Bug and Patch Tracking
BusyBox
Main | My View | View Issues | Change Log | Docs
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0001794 [BusyBox] crash sometimes 12-16-07 23:24 09-28-08 16:16
Reporter makelaa View Status public  
Assigned To
Priority normal Resolution open  
Status new   Product Version
Summary 0001794: Udhcpc crashes in robustness testing
Description We have ran an extensive set of robustness test cases for udhcpc version 0.9.8cvs20050303 (basically Debian etch version, but according to CVS the relevant code seems to be identical in trunk). Unfortunately I can't make the test set available, but basically it consists of Note: 0000015k test cases, which have crafted invalid DHCP packets which sole purpose is to inflict crashes in DHCP client.

These Note: 0000015k test cases produce Note: 0000600 core dumps for udhcpc in function run_script() and functions called by that function (i.e. fill_envp() and fill_options()). According to various backtraces, there occurs memory corruption in those functions (presented backtraces are from armel architecture, which AFAIK can contain some "anomalies" in variable values etc):

0 0x41050e74 *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:67
1 0x41052450 *__GI_abort () at abort.c:88
2 0x41083f44 __libc_message (do_abort=2, fmt=0x41126628 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
3 0x41089e9c malloc_printerr (action=3, str=0x411267b4 "malloc(): memory corruption", ptr=0x0) at malloc.c:5758
4 0x4108b0a4 _int_malloc (av=0x4113707c, bytes=8) at malloc.c:4105
5 0x4108c400 *__GI___libc_malloc (bytes=8) at malloc.c:3468
6 0x41082de4 _IO_vasprintf (result_ptr=0x192c4, format=0x7 "G\n\xc3\xb53\r", args=0xbe84e958) at vasprintf.c:77
7 0x410699e0 ___asprintf (string_ptr=0x0, format=0xe428 "mask=%d") at asprintf.c:37
8 0xa2d8 run_script (packet=0x0, name=0xe038 "bound") at script.c:66
9 0x98ea main (argc=2, argv=0x687) at dhcpc.c:581
10 0x4103c10c __libc_start_main (main=0x9299 <main+1>, argc=4, ubp_av=0xbe84ee14, init=0xd8dc <__libc_csu_init>, fini=0xd94c <__libc_csu_fini>, rtld_fini=0, stack_end=0xbe84ee14) at libc-start.c:231
11 0x91d8 _start () from unknown

0 0x4108aa48 *__GI___libc_free (mem=0x19258) at malloc.c:3530
1 0xa3de run_script (packet=0x19250, name=0xe038 "bound") at script.c:221
2 0x98ea main (argc=2, argv=0x1a10) at dhcpc.c:581
3 0x4103c10c __libc_start_main (main=0x9299 <main+1>, argc=4, ubp_av=0xbeb27e14, init=0xd8dc <__libc_csu_init>, fini=0xd94c <__libc_csu_fini>, rtld_fini=0x19250, stack_end=0xbeb27e14) at libc-start.c:231
4 0x91d8 _start () from unknown
 
etc.

I was able to fix the problem (and run those robustness test cases without crashes) after applying the attached patch, which converts sprintf() to snprintf() and generally checks better that memory outside allocated regions is not touched.
Additional Information
Attached Files  udhcp_robustness_fixes.patch [^] (5,106 bytes) 12-16-07 23:24

- Relationships

- Notes
(0012054)
bernhardf
09-25-08 08:59

 Note that the standalone udhcp client/server is not maintained anymore since it was moved to busybox. Use the udhcp in busybox instead.

Please let me know if your problem is fixed in busybox or not.
 

- Issue History
Date Modified Username Field Change
12-16-07 23:24 makelaa New Issue
12-16-07 23:24 makelaa File Added: udhcp_robustness_fixes.patch
09-25-08 08:59 bernhardf Note Added: 0012054
09-28-08 16:16 vda Project udhcp => BusyBox

Copyright © 2000 - 2006 Mantis Group
Powered by Mantis Bugtracker