[FIXED] glibc detected

[garfwen]

Hello.

I'm having this strange problem:

Code: Select all

*** glibc detected *** ./eggdrop: free(): invalid size: 0x081c7e60 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7d040f1]
/lib/libc.so.6(cfree+0x90)[0xb7d07bc0]
./eggdrop[0x80737f4]
/home/****/server/modules/rcon.so[0xb73f19c0]
./eggdrop[0x806e85f]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb7cb0e8c]
./eggdrop[0x804a151]
======= Memory map: ========
08048000-08093000 r-xp 00000000 08:02 20483791   /home/****/server/eggdrop-1.6.19
08093000-08097000 rw-p 0004b000 08:02 20483791   /home/****/server/eggdrop-1.6.19
08097000-08213000 rw-p 08097000 00:00 0          [heap]
b6e00000-b6e21000 rw-p b6e00000 00:00 0
b6e21000-b6f00000 ---p b6e21000 00:00 0
b6f34000-b6f3f000 r-xp 00000000 08:02 14523563   /lib/libgcc_s-4.1.2-20080825.so.1
b6f3f000-b6f40000 rw-p 0000a000 08:02 14523563   /lib/libgcc_s-4.1.2-20080825.so.1
b6f47000-b6f4b000 r-xp 00000000 08:02 14518451   /lib/libnss_dns-2.5.so
b6f4b000-b6f4c000 r--p 00003000 08:02 14518451   /lib/libnss_dns-2.5.so
b6f4c000-b6f4d000 rw-p 00004000 08:02 14518451   /lib/libnss_dns-2.5.so
b6f4d000-b6f56000 r-xp 00000000 08:02 14517936   /lib/libnss_files-2.5.so
b6f56000-b6f57000 r--p 00008000 08:02 14517936   /lib/libnss_files-2.5.so
b6f57000-b6f58000 rw-p 00009000 08:02 14517936   /lib/libnss_files-2.5.so
b6f58000-b6f93000 r-xp 00000000 08:02 14518428   /lib/libsepol.so.1
b6f93000-b6f94000 rw-p 0003a000 08:02 14518428   /lib/libsepol.so.1
b6f94000-b6f9e000 rw-p b6f94000 00:00 0
b6f9e000-b6fb4000 r-xp 00000000 08:02 14525632   /lib/libselinux.so.1
b6fb4000-b6fb6000 rw-p 00015000 08:02 14525632   /lib/libselinux.so.1
b6fb6000-b6fb8000 r-xp 00000000 08:02 14525674   /lib/libkeyutils-1.2.so
b6fb8000-b6fb9000 rw-p 00001000 08:02 14525674   /lib/libkeyutils-1.2.so
b6fb9000-b6fc1000 r-xp 00000000 08:02 14520478   /usr/lib/libkrb5support.so.0.1
b6fc1000-b6fc2000 rw-p 00007000 08:02 14520478   /usr/lib/libkrb5support.so.0.1
b6fc2000-b6fe7000 r-xp 00000000 08:02 14522869   /usr/lib/libk5crypto.so.3.1
b6fe7000-b6fe8000 rw-p 00025000 08:02 14522869   /usr/lib/libk5crypto.so.3.1
b6fe8000-b6fea000 r-xp 00000000 08:02 14518141   /lib/libcom_err.so.2.1
b6fea000-b6feb000 rw-p 00001000 08:02 14518141   /lib/libcom_err.so.2.1
b6feb000-b707e000 r-xp 00000000 08:02 14520288   /usr/lib/libkrb5.so.3.3
b707e000-b7081000 rw-p 00092000 08:02 14520288   /usr/lib/libkrb5.so.3.3
b7081000-b70ad000 r-xp 00000000 08:02 14520264   /usr/lib/libgssapi_krb5.so.2.2
b70ad000-b70ae000 rw-p 0002c000 08:02 14520264   /usr/lib/libgssapi_krb5.so.2.2
b70ae000-b70c0000 r-xp 00000000 08:02 14520321   /usr/lib/libz.so.1.2.3
b70c0000-b70c1000 rw-p 00011000 08:02 14520321   /usr/lib/libz.so.1.2.3
b70c1000-b71ea000 r-xp 00000000 08:02 14525683   /lib/libcrypto.so.0.9.8e
b71ea000-b71fd000 rw-p 00129000 08:02 14525683   /lib/libcrypto.so.0.9.8e
b71fd000-b7201000 rw-p b71fd000 00:00 0
b7201000-b7244000 r-xp 00000000 08:02 14517916   /lib/libssl.so.0.9.8e
b7244000-b7248000 rw-p 00042000 08:02 14517916   /lib/libssl.so.0.9.8e
b7248000-b7251000 r-xp 00000000 08:02 14518448   /lib/libcrypt-2.5.so
b7251000-b7252000 r--p 00008000 08:02 14518448   /lib/libcrypt-2.5.so
b7252000-b7253000 rw-p 00009000 08:02 14518448   /lib/libcrypt-2.5.so
b7253000-b727a000 rw-p b7253000 00:00 0
b727a000-b739b000 r-xp 00000000 08:02 14911489   /usr/lib/mysql/libmysqlclient.so.15.0.0
b739b000-b73dd000 rw-p 00120000 08:02 14911489   /usr/lib/mysql/libmysqlclient.so.15.0.0
b73dd000-b73de000 rw-p b73dd000 00:00 0
b73e3000-b73e5000 rw-p b73e3000 00:00 0
b73e5000-b73ed000 r-xp 00000000 08:02 14943854   /usr/lib/mysqltcl-3.05/libmysqltcl3.05.so
b73ed000-b73ee000 rw-p 00007000 08:02 14943854   /usr/lib/mysqltcl-3.05/libmysqltcl3.05.so
b73ee000-b73f0000 r-xp 00000000 08:02 20483810   /home/****/server/modules-1.6.19/uptime.so
b73f0000-b73f1000 rw-p 00001000 08:02 20483810   /home/****/server/modules-1.6.19/uptime.so
b73f1000-b73f3000 r-xp 00000000 08:02 20483805   /home/****/server/modules-1.6.19/rcon.so
b73f3000-b73f4000 rw-p 00001000 08:02 20483805   /home/****/server/modules-1.6.19/rcon.so
b73f4000-b73fb000 r-xp 00000000 08:02 20483804   /home/****/server/modules-1.6.19/notes.so
b73fb000-b73fc000 rw-p 00006000 08:02 20483804   /home/****/server/modules-1.6.19/notes.so
b73fc000-b741f000 r-xp 00000000 08:02 20483803   /home/****/server/modules-1.6.19/irc.so
b741f000-b7420000 rw-p 00023000 08:02 20483803   /home/****/server/modules-1.6.19/irc.so
b7420000-b742e000 r-xp 00000000 08:02 20483807   /home/****/server/modules-1.6.19/server.so
b742e000-b742f000 rw-p 0000e000 08:02 20483807   /home/****/server/modules-1.6.19/server.so
b742f000-b7430000 rw-p b742f000 00:00 0
b7430000-b743a000 r-xp 00000000 08:02 20483808   /home/****/server/modules-1.6.19/share.so
b743a000-b743b000 rw-p 0000a000 08:02 20483808   /home/****/server/modules-1.6.19/share.so
b743b000-b7443000 r-xp 00000000 08:02 20483809   /home/****/server/modules-1.6.19/transfer.so
b7443000-b7444000 rw-p 00008000 08:02 20483809   /home/****/server/modules-1.6.19/transfer.so
b7444000-b7453000 r-xp 00000000 08:02 14518132   /lib/libresolv-2.5.so
b7453000-b7454000 r--p 0000e000 08:02 14518132   /lib/libresolv-2.5.so
b7454000-b7455000 rw-p 0000f000 08:02 14518132   /lib/libresolv-2.5.so
b7455000-b7457000 rw-p b7455000 00:00 0
b7459000-b745d000 r-xp 00000000 08:02 20483796   /home/****/server/modules-1.6.19/blowfish.so
b745d000-b745e000 rw-p 00003000 08:02 20483796   /home/****/server/modules-1.6.19/blowfish.so
b745e000-b7461000 r-xp 00000000 08:02 20483801   /home/****/server/modules-1.6.19/dns.so
b7461000-b7462000 rw-p 00003000 08:02 20483801   /home/****/server/modules-1.6.19/dns.so
b7462000-b747a000 rw-p b7462000 00:00 0
b747a000-b7497000 r-xp 00000000 08:02 20483797   /home/****/server/modules-1.6.19/channels.so
b7497000-b7498000 rw-p 0001d000 08:02 20483797   /home/****/server/modules-1.6.19/channels.so
b7498000-b7499000 ---p b7498000 00:00 0
b7499000-b7c9b000 rw-p b7499000 00:00 0
b7c9b000-b7dd9000 r-xp 00000000 08:02 14518003   /lib/libc-2.5.so
b7dd9000-b7ddb000 r--p 0013e000 08:02 14518003   /lib/libc-2.5.so
b7ddb000-b7ddc000 rw-p 00140000 08:02 14518003   /lib/libc-2.5.so
b7ddc000-b7ddf000 rw-p b7ddc000 00:00 0
b7ddf000-b7df2000 r-xp 00000000 08:02 14517938   /lib/libnsl-2.5.so
b7df2000-b7df3000 r--p 00012000 08:02 14517938   /lib/libnsl-2.5.so
b7df3000-b7df4000 rw-p 00013000 08:02 14517938   /lib/libnsl-2.5.so
b7df4000-b7df6000 rw-p b7df4000 00:00 0
b7df6000-b7df8000 r-xp 00000000 08:02 14518447   /lib/libdl-2.5.so
b7df8000-b7df9000 r--p 00001000 08:02 14518447   /lib/libdl-2.5.so
b7df9000-b7dfa000 rw-p 00002000 08:02 14518447   /lib/libdl-2.5.so
b7dfa000-b7e0d000 r-xp 00000000 08:02 14518089   /lib/libpthread-2.5.so
b7e0d000-b7e0e000 r--p 00012000 08:02 14518089   /lib/libpthread-2.5.so
b7e0e000-b7e0f000 rw-p 00013000 08:02 14518089   /lib/libpthread-2.5.so
b7e0f000-b7e11000 rw-p b7e0f000 00:00 0
b7e11000-b7e36000 r-xp 00000000 08:02 14517925   /lib/libm-2.5.so
b7e36000-b7e37000 r--p 00024000 08:02 14517925   /lib/libm-2.5.so
b7e37000-b7e38000 rw-p 00025000 08:02 14517925   /lib/libm-2.5.so
b7e38000-b7ef2000 r-xp 00000000 08:02 14520444   /usr/lib/libtcl8.4.so
b7ef2000-b7ef8000 rw-p 000ba000 08:02 14520444   /usr/lib/libtcl8.4.so
b7ef8000-b7ef9000 rw-p b7ef8000 00:00 0
b7ef9000-b7efb000 r-xp 00000000 08:02 20483799   /home/****/server/modules-1.6.19/console.so
b7efb000-b7efc000 rw-p 00001000 08:02 20483799   /home/****/server/modules-1.6.19/console.so
b7efc000-b7efe000 r-xp 00000000 08:02 20483800   /home/****/server/modules-1.6.19/ctcp.so
b7efe000-b7eff000 rw-p 00001000 08:02 20483800   /home/****/server/modules-1.6.19/ctcp.so
b7eff000-b7f00000 rw-p b7eff000 00:00 0
b7f00000-b7f01000 r-xp b7f00000 00:00 0          [vdso]
b7f01000-b7f1b000 r-xp 00000000 08:02 14518126   /lib/ld-2.5.so
b7f1b000-b7f1c000 r--p 00019000 08:02 14518126   /lib/ld-2.5.so
b7f1c000-b7f1d000 rw-p 0001a000 08:02 14518126   /lib/ld-2.5.so
bff25000-bff3b000 rw-p bff25000 00:00 0          [stack]
Aborted (core dumped)

Any idea?

Thanks,
GaRfWeN

[nml375]

Since your eggie dumped a core, could you use gdb to gather a backtrace and post it? (details found in doc/BUG-REPORT).

Smells like a memory leak in the rcon module though (taken from free(3) manpage):

Crashes in malloc(), free() or realloc() are almost always related to heap corruption, such as overflowing an allocated chunk or freeing the same pointer twice.

[nml375]

Oh, also, could you explain what you were doing with your eggdrop upon the crash?

[garfwen]

Well where it is:

Code: Select all

#0  0xb7fc67f2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0xb7d88d80 in raise () from /lib/libc.so.6
#2  0xb7d8a691 in abort () from /lib/libc.so.6
#3  0xb7dc124b in __libc_message () from /lib/libc.so.6
#4  0xb7dc90f1 in _int_free () from /lib/libc.so.6
#5  0xb7dccbc0 in free () from /lib/libc.so.6
#6  0x080737f4 in mod_free (ptr=0x81cfd00, modname=0xb74b7ca7 "rcon",
    filename=0xb74b7bbd ".././rcon.mod/rcon.c", line=417) at modules.c:974
#7  0xb74b69c0 in rcon_socket (idx=3, buf=0xbf8c6d88 "", len=0)
    at .././rcon.mod/rcon.c:417
#8  0x0806e85f in main (argc=3, argv=0xbf8c73f4) at ./main.c:991

I am using the "rcon logaddress" basically the server sendes logs to the eggdrop. When the eggdrop recieves a log, it crashes...

Thanks,
GaRfWeN

[garfwen]

On the rcon mod i got this on line 417:

Code: Select all

....

  if (buffer) {
    totalexpmem -= RCON_BUFFER_SIZE;
    nfree(buffer);
    buffer = NULL;
  }

....

[nml375]

Do you still have the sources for your rcon.mod lying around?
If so, could you post the rcon_socket function in rcon.c ?

[garfwen]

Here it goes

Code: Select all

static void rcon_socket(int idx, char *buf, int len)
{
  char *buffer = NULL;
  char *bufferptr = NULL;
  int actualsize;
  struct sockaddr_in from;
  unsigned int fromlen;

  buffer = (char *) nmalloc(RCON_BUFFER_SIZE);
  totalexpmem += RCON_BUFFER_SIZE;

  actualsize = recvfrom(rconlistensock, buffer, RCON_BUFFER_SIZE,0,(struct sockaddr *)&from, &fromlen);

  buffer[actualsize-2] = '\0';  // remove \n\0

  bufferptr = buffer + 4; // remove 4 "-1 bits"



  bufferptr = NULL;
  if (buffer) {
    totalexpmem -= RCON_BUFFER_SIZE;
    nfree(buffer);
    buffer = NULL;
  }


}

Edit: Some code got removed.

[nml375]

Google did reveal some similar errors on various Ubuntu systems, following an updated glibc. Apparently this newer version of glibc is rather picky regarding memory management.

From what I can gather, the "buffer" pointer is altered somewhere in that function, which causes free() to bark and bail out. My first suspicions were the commented line "buffer = buffer + 4", yet it was commented in your function as well.

[nml375]

Took a while, but I think I've got it (had to dig deep into the soul of malloc()/free()...)

When you malloc some space, the actually reserved memory is larger than the user requested data. This extra data is used to keep track of the allocated memory, and is positioned just before the pointer you get from malloc.

After receiving a message, this is stored in 'buffer', and the number of bytes received is stored in 'actualsize'. Next, 'actualsize' minus 2 is used as an index of 'buffer', but if we received 0 or 1 bytes, that would actually be outside of 'our' memory range, and will actually mess with the above mentioned malloc-data.

Dirty quickfix:

Code: Select all

buffer[actualsize-2] = '\0';
/* Change this into */
if (actualsize > 2)
  buffer[actualsize-2] = '\0';

[garfwen]

That's correct.
Fixed. Thnks alot