CMS's valgrind tests picked up the following: ``` ==24945== Invalid read of size 16 ==24945== at 0x4BCF2EEE: XrdCl::XRootDTransport::ProcessLogInResp(XrdCl::HandShakeData*, XrdCl::XRootDChannelInfo*) (XrdClXRootDTransport.cc:1556) ==24945== by 0x4BCF55A5: XrdCl::XRootDTransport::HandShakeMain(XrdCl::HandShakeData*, XrdCl::AnyObject&) (XrdClXRootDTransport.cc:390) ==24945== by 0x4BCF5843: XrdCl::XRootDTransport::HandShake(XrdCl::HandShakeData*, XrdCl::AnyObject&) (XrdClXRootDTransport.cc:326) ==24945== by 0x4BD50A5C: XrdCl::AsyncSocketHandler::OnReadWhileHandshaking() (XrdClAsyncSocketHandler.cc:692) ==24945== by 0x4BD511C4: XrdCl::AsyncSocketHandler::Event(unsigned char, XrdCl::Socket*) (XrdClAsyncSocketHandler.cc:233) ==24945== by 0x4BCE708B: (anonymous namespace)::SocketCallBack::Event(XrdSys::IOEvents::Channel*, void*, int) (XrdClPollerBuiltIn.cc:82) ==24945== by 0x4BE09E29: XrdSys::IOEvents::Poller::CbkXeq(XrdSys::IOEvents::Channel*, int, int, char const*) (XrdSysIOEvents.cc:692) ==24945== by 0x4BE0B276: XrdSys::IOEvents::PollE::Dispatch(XrdSys::IOEvents::Channel*, unsigned int) (XrdSysIOEventsPollE.icc:270) ==24945== by 0x4BE0B449: XrdSys::IOEvents::PollE::Begin(XrdSysSemaphore*, int&, char const**) (XrdSysIOEventsPollE.icc:225) ==24945== by 0x4BE07CE4: XrdSys::IOEvents::BootStrap::Start(void*) (XrdSysIOEvents.cc:131) ==24945== by 0x4BE05DE7: XrdSysThread_Xeq (XrdSysPthread.cc:86) ==24945== by 0x750AAA0: start_thread (in /lib64/libpthread-2.12.so) ==24945== Address 0x292b1e98 is 0 bytes after a block of size 8 alloc'd ==24945== at 0x4029BE5: realloc (in /cvmfs/cms-ib.cern.ch/nweek-02477/slc6_amd64_gcc700/external/valgrind/3.12.99-opkfni/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==24945== by 0x4BCF1887: ReAllocate (XrdClBuffer.hh:73) ==24945== by 0x4BCF1887: XrdCl::XRootDTransport::GetBody(XrdCl::Message*, int) (XrdClXRootDTransport.cc:263) ==24945== by 0x4BD50456: XrdCl::AsyncSocketHandler::ReadMessage(XrdCl::Message*&) (XrdClAsyncSocketHandler.cc:767) ==24945== by 0x4BD50A18: XrdCl::AsyncSocketHandler::OnReadWhileHandshaking() (XrdClAsyncSocketHandler.cc:677) ==24945== by 0x4BD511C4: XrdCl::AsyncSocketHandler::Event(unsigned char, XrdCl::Socket*) (XrdClAsyncSocketHandler.cc:233) ==24945== by 0x4BCE708B: (anonymous namespace)::SocketCallBack::Event(XrdSys::IOEvents::Channel*, void*, int) (XrdClPollerBuiltIn.cc:82) ==24945== by 0x4BE09E29: XrdSys::IOEvents::Poller::CbkXeq(XrdSys::IOEvents::Channel*, int, int, char const*) (XrdSysIOEvents.cc:692) ==24945== by 0x4BE0B276: XrdSys::IOEvents::PollE::Dispatch(XrdSys::IOEvents::Channel*, unsigned int) (XrdSysIOEventsPollE.icc:270) ==24945== by 0x4BE0B449: XrdSys::IOEvents::PollE::Begin(XrdSysSemaphore*, int&, char const**) (XrdSysIOEventsPollE.icc:225) ==24945== by 0x4BE07CE4: XrdSys::IOEvents::BootStrap::Start(void*) (XrdSysIOEvents.cc:131) ==24945== by 0x4BE05DE7: XrdSysThread_Xeq (XrdSysPthread.cc:86) ==24945== by 0x750AAA0: start_thread (in /lib64/libpthread-2.12.so) ==24945== ==24945== Invalid read of size 1 ==24945== at 0x4BCCB760: XrdCl::Utils::Char2Hex(unsigned char*, unsigned short) (XrdClUtils.cc:470) ==24945== by 0x4BCF2F0B: XrdCl::XRootDTransport::ProcessLogInResp(XrdCl::HandShakeData*, XrdCl::XRootDChannelInfo*) (XrdClXRootDTransport.cc:1558) ==24945== by 0x4BCF55A5: XrdCl::XRootDTransport::HandShakeMain(XrdCl::HandShakeData*, XrdCl::AnyObject&) (XrdClXRootDTransport.cc:390) ==24945== by 0x4BCF5843: XrdCl::XRootDTransport::HandShake(XrdCl::HandShakeData*, XrdCl::AnyObject&) (XrdClXRootDTransport.cc:326) ==24945== by 0x4BD50A5C: XrdCl::AsyncSocketHandler::OnReadWhileHandshaking() (XrdClAsyncSocketHandler.cc:692) ==24945== by 0x4BD511C4: XrdCl::AsyncSocketHandler::Event(unsigned char, XrdCl::Socket*) (XrdClAsyncSocketHandler.cc:233) ==24945== by 0x4BCE708B: (anonymous namespace)::SocketCallBack::Event(XrdSys::IOEvents::Channel*, void*, int) (XrdClPollerBuiltIn.cc:82) ==24945== by 0x4BE09E29: XrdSys::IOEvents::Poller::CbkXeq(XrdSys::IOEvents::Channel*, int, int, char const*) (XrdSysIOEvents.cc:692) ==24945== by 0x4BE0B276: XrdSys::IOEvents::PollE::Dispatch(XrdSys::IOEvents::Channel*, unsigned int) (XrdSysIOEventsPollE.icc:270) ==24945== by 0x4BE0B449: XrdSys::IOEvents::PollE::Begin(XrdSysSemaphore*, int&, char const**) (XrdSysIOEventsPollE.icc:225) ==24945== by 0x4BE07CE4: XrdSys::IOEvents::BootStrap::Start(void*) (XrdSysIOEvents.cc:131) ==24945== by 0x4BE05DE7: XrdSysThread_Xeq (XrdSysPthread.cc:86) ==24945== Address 0x292b1e98 is 0 bytes after a block of size 8 alloc'd ==24945== at 0x4029BE5: realloc (in /cvmfs/cms-ib.cern.ch/nweek-02477/slc6_amd64_gcc700/external/valgrind/3.12.99-opkfni/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==24945== by 0x4BCF1887: ReAllocate (XrdClBuffer.hh:73) ==24945== by 0x4BCF1887: XrdCl::XRootDTransport::GetBody(XrdCl::Message*, int) (XrdClXRootDTransport.cc:263) ==24945== by 0x4BD50456: XrdCl::AsyncSocketHandler::ReadMessage(XrdCl::Message*&) (XrdClAsyncSocketHandler.cc:767) ==24945== by 0x4BD50A18: XrdCl::AsyncSocketHandler::OnReadWhileHandshaking() (XrdClAsyncSocketHandler.cc:677) ==24945== by 0x4BD511C4: XrdCl::AsyncSocketHandler::Event(unsigned char, XrdCl::Socket*) (XrdClAsyncSocketHandler.cc:233) ==24945== by 0x4BCE708B: (anonymous namespace)::SocketCallBack::Event(XrdSys::IOEvents::Channel*, void*, int) (XrdClPollerBuiltIn.cc:82) ==24945== by 0x4BE09E29: XrdSys::IOEvents::Poller::CbkXeq(XrdSys::IOEvents::Channel*, int, int, char const*) (XrdSysIOEvents.cc:692) ==24945== by 0x4BE0B276: XrdSys::IOEvents::PollE::Dispatch(XrdSys::IOEvents::Channel*, unsigned int) (XrdSysIOEventsPollE.icc:270) ==24945== by 0x4BE0B449: XrdSys::IOEvents::PollE::Begin(XrdSysSemaphore*, int&, char const**) (XrdSysIOEventsPollE.icc:225) ==24945== by 0x4BE07CE4: XrdSys::IOEvents::BootStrap::Start(void*) (XrdSysIOEvents.cc:131) ==24945== by 0x4BE05DE7: XrdSysThread_Xeq (XrdSysPthread.cc:86) ==24945== by 0x750AAA0: start_thread (in /lib64/libpthread-2.12.so) ``` It appears that EOS responded to a login response with a zero-sized body, but the code here: * https://github.com/cms-externals/xrootd/blob/cms/v4.6.1/src/XrdCl/XrdClXRootDTransport.cc#L1556 * https://github.com/cms-externals/xrootd/blob/cms/v4.6.1/src/XrdCl/XrdClXRootDTransport.cc#L1558 assume that the response size is at least 16 bytes when it does the `memcpy`. If it's a protocol violation from the remote Xrootd host, then we should chuck the connection instead of reading past the end of the array. See https://github.com/cms-sw/cmssw/issues/19339#issuecomment-309852962 for CMS discussion. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/530 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1