Some more info. This time I tried to run it under valgrind:
==30857== Invalid read of size 8
==30857== at 0x63F8E4A: RC4 (in /usr/lib/libcrypto.so.0.9.8)
==30857== by 0x60F1970: torrent::RC4::crypt(void*, unsigned) (rc4.h:55)
==30857== by 0x60F19C7: torrent::EncryptionInfo::decrypt(void*, unsigned)
(encryption_info.h:51)
==30857== by 0x60EEA36: torrent::Handshake::read_bitfield()
(handshake.cc:595)
==30857== by 0x60EFBEA: torrent::Handshake::event_read() (handshake.cc:734)
==30857== by 0x608CEAF: torrent::PollEPoll::perform() (poll_epoll.cc:135)
==30857== by 0x477054: (within /usr/bin/rtorrent)
==30857== by 0x432B05: (within /usr/bin/rtorrent)
==30857== by 0x78DCB43: (below main) (in /lib/libc-2.6.1.so)
==30857== Address 0xA4C0FE8 is 512 bytes inside a block of size 516 alloc'd
==30857== at 0x4C220C5: operator new[](unsigned long)
(vg_replace_malloc.c:199)
==30857== by 0x6085F9C: torrent::Bitfield::allocate() (bitfield.h:78)
==30857== by 0x60EE8CE: torrent::Handshake::read_bitfield()
(handshake.cc:582)
==30857== by 0x60EFBEA: torrent::Handshake::event_read() (handshake.cc:734)
==30857== by 0x608CEAF: torrent::PollEPoll::perform() (poll_epoll.cc:135)
==30857== by 0x477054: (within /usr/bin/rtorrent)
==30857== by 0x432B05: (within /usr/bin/rtorrent)
==30857== by 0x78DCB43: (below main) (in /lib/libc-2.6.1.so)
516 sounds alot like 512 + 4, and maybe it should have been + 8.
And:
==30857== Syscall param socketcall.recvfrom(buf) points to unaddressable
byte(s)==30857== at 0x7993645: recv (in /lib/libc-2.6.1.so)
==30857== by 0x60E847E: torrent::SocketStream::read_stream(void*, unsigned)
(socket_stream.h:86)
==30857== by 0x60E7FD1: torrent::SocketStream::read_stream_throws(void*,
unsigned) (socket_stream.cc:59)
==30857== by 0x60FE802: torrent::PeerConnectionSeed::event_read()
(peer_connection_seed.cc:234)
==30857== by 0x608CEAF: torrent::PollEPoll::perform() (poll_epoll.cc:135)
==30857== by 0x477054: (within /usr/bin/rtorrent)
==30857== by 0x432B05: (within /usr/bin/rtorrent)
==30857== by 0x78DCB43: (below main) (in /lib/libc-2.6.1.so)
==30857== Address 0xAEF0288 is 0 bytes after a block of size 536 alloc'd
==30857== at 0x4C22425: operator new(unsigned long)
(vg_replace_malloc.c:167)==30857== by 0x60F8977:
torrent::PeerConnectionBase::PeerConnectionBase() (peer_connection_base.cc:82)
==30857== by 0x60FF882: torrent::PeerConnectionSeed::PeerConnectionSeed()
(peer_connection_seed.h:46)
==30857== by 0x60FF810: torrent::createPeerConnectionSeed(bool)
(peer_factory.cc:58)
==30857== by 0x60CDB6A: torrent::ConnectionList::insert(torrent::PeerInfo*,
torrent::SocketFd const&, torrent::Bitfield*, torrent::EncryptionInfo*,
torrent::ProtocolExtension*) (connection_list.cc:63)
==30857== by 0x60F286A:
torrent::HandshakeManager::receive_succeeded(torrent::Handshake*)
(handshake_manager.cc:191)
==30857== by 0x60EFCE8: torrent::Handshake::event_read() (handshake.cc:749)
==30857== by 0x608CEAF: torrent::PollEPoll::perform() (poll_epoll.cc:135)
==30857== by 0x477054: (within /usr/bin/rtorrent)
==30857== by 0x432B05: (within /usr/bin/rtorrent)
==30857== by 0x78DCB43: (below main) (in /lib/libc-2.6.1.so)
So, at peer_connection_seed.cc:234 we see:
m_down->buffer()->move_end(m_download->download_throttle()->node_used_unthrottled(read_stream_throws(m_down->buffer()->end(),
read_size - m_down->buffer()->size_end())));
or:
read_stream_throws(m_down->buffer()->end(), read_size -
m_down->buffer()->size_end())
It's protected by an:
if (m_down->buffer()->size_end() == read_size)
throw internal_error("PeerConnectionSeed::event_read()
m_down->buffer()->size_end() == read_size.");
The buffer seems to be 512 bytes, read_size seems to be 64.
The check there seems wrong to me, it should probably check for
>= read_size, which seems to suggest that the bug is somewhere else.
Changing that makes it print out that error.
Kurt
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
