dhcpcd crash when Ethernet state toggles
Gorman, Brian (Vancouver)
Tue Aug 30 21:23:06 2016
Hi Roy,
We are running dhcpcd-6.9.1 with a few backported fixes from later versions of dhcpcd.
We have observed a crash on Linux that occurs when the Ethernet link goes down and then comes up again as running.
The crash seems to be a NULL pointer dereference of "state" in dhcp6.c:3274 (dhcpcd trunk).
You added a check for a link local address that may have stopped the code from getting to this place in this commit, but your comments do not seem related:
http://roy.marples.name/projects/dhcpcd/info/d88b9b636912b1d0
Do you have any insight into how dhcpcd may have gotten into this point/any thoughts on adding a check for a NULL at the point of failure/elsewhere?
Here is the backtrace:
(gdb) bt full
#0 dhcp6_start1 (arg=0x55ed0) at dhcp6.c:3153
ifp = 0x55ed0
ifo = 0x44008
state = 0x0
i = <optimized out>
dhc = <optimized out>
#1 0x00022cac in ipv6_handleifa (ctx=ctx@entry=0xbe99eb38, cmd=20,
ifs=<optimized out>, ifs@entry=0x0, ifname=ifname@entry=0x55edc "eth0",
addr=addr@entry=0xbe99ea00, prefix_len=64 '@', flags=128) at ipv6.c:1042
ifp = 0x55ed0
state = 0x55de8
ap = <optimized out>
cb = 0x56510
#2 0x0001b088 in link_addr (ifp=<optimized out>, nlm=0x6b778, ctx=0xbe99eb38)
at if-linux.c:671
len = 0
rta = 0x6b7c0
net = {s_addr = 3069923968}
dest = {s_addr = 33022}
addr6 = {__in6_u = {
__u6_addr8 = "\376\200\000\000\000\000\000\000\002\223\272\377\376<R4", __u6_addr16 = {33022, 0, 0, 0, 37634, 65466, 15614, 13394}, __u6_addr32 = {
33022, 0, 4290417410, 877804798}}}
ifa = 0x6b788
addr = {s_addr = 3069811292}
#3 link_netlink (ctx=0xbe99eb38, ifp=<optimized out>, nlm=0x6b778)
at if-linux.c:773
No locals.
#4 0x0001aad4 in get_netlink (ctx=ctx@entry=0xbe99eb38, ifp=ifp@entry=0x0,
fd=5, flags=flags@entry=64, callback=callback@entry=0x1aef7 <link_netlink>)
at if-linux.c:367
buf = 0x6b778 "H"
nbuf = <optimized out>
bytes = 72
buflen = 1125
nlm = 0x6b778
nladdr = {nl_family = 16, nl_pad = 0, nl_pid = 0, nl_groups = 256}
nladdr_len = 12
r = <optimized out>
#5 0x0001b3da in if_managelink (ctx=ctx@entry=0xbe99eb38) at if-linux.c:861
No locals.
#6 0x00013ce6 in handle_link (arg=0xbe99eb38) at dhcpcd.c:933
ctx = 0xbe99eb38
#7 0x0001562c in eloop_start (eloop=0x55d60, signals=signals@entry=0xbe99ebbc)
at eloop.c:774
n = 1
e = <optimized out>
t = <optimized out>
now = {tv_sec = 60712, tv_nsec = 444954000}
ts = {tv_sec = 4, tv_nsec = 58234338}
tsp = <optimized out>
t0 = <optimized out>
epe = {events = 1, data = {ptr = 0x58818, fd = 362520, u32 = 362520,
u64 = 362520}}
timeout = <optimized out>
__PRETTY_FUNCTION__ = "eloop_start"
---Type <return> to continue, or q <return> to quit---
#8 0x0001290a in main (argc=<optimized out>, argv=<optimized out>)
at dhcpcd.c:1849
ctx = {pid_fd = 4,
pidfile = "/var/run/dhcpcd-eth0.pid", '\000' <repeats 18 times>,
cffile = 0x2c568 "/etc/dhcpcd.conf", options = 292172578462422025,
logfile = 0x0, log_fd = -1, argc = 2, argv = 0xbe99ee84, ifac = 0,
ifav = 0x0, ifdc = 0, ifdv = 0x0, ifc = 1, ifv = 0xbe99ee88,
ifcc = 3, ifcv = 0x55e90, duid = 0x561a0 "", duid_len = 14,
ifaces = 0x55dd8, pf_inet_fd = 6, link_fd = 5, sigset = {__val = {
0 <repeats 32 times>}}, eloop = 0x55d60, control_fd = -1,
control_unpriv_fd = -1, control_fds = {tqh_first = 0x0,
tqh_last = 0xbe99ec48}, control_sock = '\000' <repeats 40 times>,
control_group = 0, vivso = 0x0, vivso_len = 0,
randomstate = 0xb6fb51fc <randtbl> "\003", dhcp_opts = 0x54590,
dhcp_opts_len = 122, ipv4_routes = 0x56068, ipv4_kroutes = 0x55db0,
udp_fd = 10, packet = 0x6af40 "E", opt_buffer = 0x0,
secret = '\000' <repeats 63 times>, secret_len = 0,
nd_opts = 0x55a90, nd_opts_len = 6, dhcp6_opts = 0x596b8,
dhcp6_opts_len = 70, ipv6 = 0x6a850}
ifo = 0x0
ifp = 0x0
family = 0
opt = <optimized out>
oi = 0
i = <optimized out>
t = <optimized out>
len = <optimized out>
pid = <optimized out>
sig = <optimized out>
siga = <optimized out>
__func__ = "main"
Thanks,
Brian Gorman
Archive administrator: postmaster@marples.name