[isf-wifidog] seg fault

acv acv at miniguru.ca
Lun 28 Juil 16:57:28 EDT 2008 

On the surface, it looks like the bug is caused by inet_ntoa() not returning
a null-terminated string, that's why strlen() segfaults, it goes beyond the
end of the string. This could either be caused by inet_ntoa() failing or
the ioctl() call failing or even the memcpy() bit just below.

Code snippet (lines 176-185 from src/util.c):

176        if (ioctl (sockd, SIOCGIFADDR, &if_data) < 0) {
177                debug(LOG_ERR, "ioctl(): SIOCGIFADDR %s", strerror(errno));
178                return NULL;
179        }
180        memcpy ((void *) &ip, (void *) &if_data.ifr_addr.sa_data + 2, 4);
181        in.s_addr = ip;
182
183        ip_str = (char *)inet_ntoa(in);
184        close(sockd);
185        return safe_strdup(ip_str);

	ioctl() errors are checked. Either the memcpy() call or its
pointer arithmetics is off? sa_data in a sockaddr_in struct starts
with a 16-bit value so the math looks OK. This stumps me right now,
what's the distro? Ubuntu 7.10?

Alex

On Mon, Jul 28, 2008 at 04:15:08PM -0400, Clifford Thurber wrote:
> Date: Mon, 28 Jul 2008 16:15:08 -0400
> From: "Clifford Thurber" <clifford at hdn.net>
> To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
> Subject: Re: [isf-wifidog] seg fault
> 
> [root at wifidog src]# ifconfig eth1
> eth1      Link encap:Ethernet  HWaddr 00:18:8B:2E:B1:A5
>           inet addr:216.193.211.3  Bcast:216.193.211.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:194391 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:12474968 (11.8 MiB)  TX bytes:16381 (15.9 KiB)
>           Interrupt:16 Memory:f8000000-f8012100
> 
> On Mon, Jul 28, 2008 at 4:11 PM, acv <acv at miniguru.ca> wrote:
> 
> > On Mon, Jul 28, 2008 at 03:43:14PM -0400, Clifford Thurber wrote:
> > >
> > > Program received signal SIGSEGV, Segmentation fault.
> > > 0x0000003ea6280eb0 in strlen () from /lib64/libc.so.6
> > > Missing separate debuginfos, use: debuginfo-install glibc.x86_64
> > > (gdb) bt
> > > #0  0x0000003ea6280eb0 in strlen () from /lib64/libc.so.6
> > > #1  0x0000003ea6280be6 in strdup () from /lib64/libc.so.6
> > > #2  0x000000000040bfdc in safe_strdup ()
> > > #3  0x0000000000409c64 in get_iface_ip ()
> > > #4  0x000000000040720b in main_loop ()
> > > #5  0x00000000004078a2 in main ()
> > > (gdb) exit
> >
> >         This is very strange. What's the output of ifconfig for that
> > interface?
> >
> > Alex
> >
> > _______________________________________________
> > WiFiDog mailing list
> > WiFiDog at listes.ilesansfil.org
> > http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >

> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-------------- section suivante --------------
Une pièce jointe non texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 187 octets
Desc: non disponible
Url: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20080728/b9903641/attachment.pgp

Plus d'informations sur la liste de diffusion WiFiDog