Hello James,
On 12/05/2011 06:47 AM, James Harper wrote:
> The crash I describe below is caused by an off-by-one error in
> accurate.c...
>
> In accurate_cmd, a blank chksum is not included in the length passed to
> accurate_add_file, but in accurate_add_file, the blank chksum takes up
> one byte and so will trigger the overrun detection if the buffer happens
> to be the last in the "big buf", which is the case in my crash.
>
> This crash would occur only when:
> . chksum is blank
> . accurate entry is last in the "big buf"
> . accurate entry size == "big buf" remaining and so an overrun overruns
> "big buf"
>
> The following patch fixes the bug for me:
Thanks to pin this problem, I think that allocating 1 extra byte as we
did in the previous version will handle this problem.
Unfortunately, the previous code was :
/* TODO: see if len contains already the 3 \0 */
item = (CurFile *)jcr->file_list->hash_malloc(sizeof(CurFile)+len+3);
And the new code is
item = (CurFile *)jcr->file_list->hash_malloc(sizeof(CurFile)+len);
This is a serious issue that was easy to avoid... :(
Thanks
> diff --git a/bacula/src/filed/accurate.c b/bacula/src/filed/accurate.c
> index 3a043a3..a8446c9 100644
> --- a/bacula/src/filed/accurate.c
> +++ b/bacula/src/filed/accurate.c
> @@ -223,8 +223,13 @@ static bool accurate_add_file(JCR *jcr, uint32_t
> len,
> item->lstat = item->fname+strlen(item->fname)+1;
> strcpy(item->lstat, lstat);
>
> - item->chksum = item->lstat+strlen(item->lstat)+1;
> - strcpy(item->chksum, chksum);
> + if (!strlen(chksum)) {
> + /* re-use the null at the end of lstat */
> + item->chksum = item->lstat+strlen(item->lstat);
> + } else {
> + item->chksum = item->lstat+strlen(item->lstat)+1;
> + strcpy(item->chksum, chksum);
> + }
>
> item->delta_seq = delta;
>
> James
>
>> -----Original Message-----
>> From: James Harper
>> Sent: Monday, 5 December 2011 3:08 PM
>> To: James Harper; bacula-devel@lists.sourceforge.net
>> Subject: RE: [Bacula-devel] crash in 5.2.2
>>
>>>
>>> I'm getting a consistent crash on one Windows 2008 R2 server:
>>>
>>> 05-Dec 12:50 bitdc1-fd: ABORTING due to ERROR in
>>> /home/kern/bacula/k/bacula/src/lib/smartall.c:216
>>> Overrun buffer: len=9830441 addr=40d0068 allocated:
>>> /home/kern/bacula/k/bacula/src/lib/htable.c:72 called from
>>> /home/kern/bacula/k/bacula/src/lib/htable.c:91
>>>
>>
>> This is happening at the end of the accurate 'seen' code I think:
>>
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/lib/htable.c:79-0 malloc
>> buf=4070068 size=9830400 rem=9830376
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/lib/htable.c:112-0 Created
> new
>> big buffer of 9830400 bytes
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/filed/accurate.c:234-0 add
>> fname=<C:/Windows/winsxs/amd64_microsoft-windows-mediaplayer-
>> core_31bf3856ad364e35_6.1.7600.16385_none_675eb4c668cac03c/WMPPlay
>> er-ppdlic.xrm-ms> lstat=A A IH/ B A A A wz A A BKW+Ue BKW+Ue BKW+Ue A
>> A M delta_seq=0 chksum=
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/filed/accurate.c:234-0 add
>> fname=<C:/Windows/winsxs/amd64_microsoft-windows-mediaplayer-
>> core_31bf3856ad364e35_6.1.7600.16385_none_675eb4c668cac03c/wmpshar
>> e.exe> lstat=A A IH/ B A A A ZIA A A BKW9AA BKW+Hs BKW9AA A A M
>> delta_seq=0 chksum=
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/filed/accurate.c:234-0 add
>> fname=<C:/Windows/winsxs/amd64_microsoft-windows-mediaplayer-
>> core_31bf3856ad364e35_6.1.7600.16385_none_675eb4c668cac03c/> lstat=A
>> A EH/ B A A A A A A BKXBkT BKXBkT BKXBkR A A M delta_seq=0 chksum=
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/filed/accurate.c:234-0 add
>> fname=<C:/Windows/winsxs/amd64_microsoft-windows-mediaplayer-
>> core_31bf3856ad364e35_6.1.7600.16415_none_67aa66206891f9cc/avtranspo
>> rt.xml> lstat=A A IH/ B A A A E2C A A BKW9BW BKMB1Y BKW9BW A A M
>> delta_seq=0 chksum=
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/filed/accurate.c:234-0 add
>> fname=<C:/Windows/winsxs/amd64_microsoft-windows-mediaplayer-
>> core_31bf3856ad364e35_6.1.7600.16415_none_67aa66206891f9cc/connectio
>> nmanager_dmr.xml> lstat=A A IH/ B A A A BT/ A A BKW9BW BKMB1Y
>> BKW9BW A A M delta_seq=0 chksum=
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/filed/accurate.c:234-0 add
>> fname=<C:/Windows/winsxs/amd64_microsoft-windows-mediaplayer-
>> core_31bf3856ad364e35_6.1.7600.16415_none_67aa66206891f9cc/DMR_120.
>> jpg> lstat=A A IH/ B A A A uj A A BKW9BW BKMB1W BKW9BW A A M
>> delta_seq=0 chksum= ...
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/filed/accurate.c:159-0
> deleted
>> fname=C:/Windows/SoftwareDistribution/Download/f0c6519c2159e158a5a6
>> 809e0034014a/cbshandler/state seen=0
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/filed/accurate.c:159-0
> deleted
>> fname=C:/ProgramData/Microsoft/Windows/WER/ReportQueue/Critical_6.1
>> .7601_6d9bc88e5a3ea1e6a04e40309422f28fc0f47026_070c770d/Report.wer
>> seen=0
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/filed/accurate.c:159-0
> deleted
>> fname=C:/Users/administrator.SBSSWG/AppData/Local/Microsoft/Windows
>> /Temporary Internet Files/Content.IE5/V3S0WCGX/french-flag[1].jpg
>> seen=0
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/lib/htable.c:90-0 free
> malloc
>> buf=49e0068
>> bitdc1-fd: /home/kern/bacula/k/bacula/src/lib/htable.c:90-0 free
> malloc
>> buf=4070068<crash here>
>>
>> Am I reading correctly that Bacula allocated a buffer of 9830400 bytes
> in
>> length but then went 41 bytes over the end?
>>
>> James
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Bacula-devel mailing list
> Bacula-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-devel
--
Need professional help and support for Bacula ?
Visit http://www.baculasystems.com
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel
