Print

Print

CMS's valgrind tests picked up the following:

==24945== Invalid read of size 16
==24945==    at 0x4BCF2EEE: XrdCl::XRootDTransport::ProcessLogInResp(XrdCl::HandShakeData*, XrdCl::XRootDChannelInfo*) (XrdClXRootDTransport.cc:1556)
==24945==    by 0x4BCF55A5: XrdCl::XRootDTransport::HandShakeMain(XrdCl::HandShakeData*, XrdCl::AnyObject&) (XrdClXRootDTransport.cc:390)
==24945==    by 0x4BCF5843: XrdCl::XRootDTransport::HandShake(XrdCl::HandShakeData*, XrdCl::AnyObject&) (XrdClXRootDTransport.cc:326)
==24945==    by 0x4BD50A5C: XrdCl::AsyncSocketHandler::OnReadWhileHandshaking() (XrdClAsyncSocketHandler.cc:692)
==24945==    by 0x4BD511C4: XrdCl::AsyncSocketHandler::Event(unsigned char, XrdCl::Socket*) (XrdClAsyncSocketHandler.cc:233)
==24945==    by 0x4BCE708B: (anonymous namespace)::SocketCallBack::Event(XrdSys::IOEvents::Channel*, void*, int) (XrdClPollerBuiltIn.cc:82)
==24945==    by 0x4BE09E29: XrdSys::IOEvents::Poller::CbkXeq(XrdSys::IOEvents::Channel*, int, int, char const*) (XrdSysIOEvents.cc:692)
==24945==    by 0x4BE0B276: XrdSys::IOEvents::PollE::Dispatch(XrdSys::IOEvents::Channel*, unsigned int) (XrdSysIOEventsPollE.icc:270)
==24945==    by 0x4BE0B449: XrdSys::IOEvents::PollE::Begin(XrdSysSemaphore*, int&, char const**) (XrdSysIOEventsPollE.icc:225)
==24945==    by 0x4BE07CE4: XrdSys::IOEvents::BootStrap::Start(void*) (XrdSysIOEvents.cc:131)
==24945==    by 0x4BE05DE7: XrdSysThread_Xeq (XrdSysPthread.cc:86)
==24945==    by 0x750AAA0: start_thread (in /lib64/libpthread-2.12.so)
==24945==  Address 0x292b1e98 is 0 bytes after a block of size 8 alloc'd
==24945==    at 0x4029BE5: realloc (in /cvmfs/cms-ib.cern.ch/nweek-02477/slc6_amd64_gcc700/external/valgrind/3.12.99-opkfni/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24945==    by 0x4BCF1887: ReAllocate (XrdClBuffer.hh:73)
==24945==    by 0x4BCF1887: XrdCl::XRootDTransport::GetBody(XrdCl::Message*, int) (XrdClXRootDTransport.cc:263)
==24945==    by 0x4BD50456: XrdCl::AsyncSocketHandler::ReadMessage(XrdCl::Message*&) (XrdClAsyncSocketHandler.cc:767)
==24945==    by 0x4BD50A18: XrdCl::AsyncSocketHandler::OnReadWhileHandshaking() (XrdClAsyncSocketHandler.cc:677)
==24945==    by 0x4BD511C4: XrdCl::AsyncSocketHandler::Event(unsigned char, XrdCl::Socket*) (XrdClAsyncSocketHandler.cc:233)
==24945==    by 0x4BCE708B: (anonymous namespace)::SocketCallBack::Event(XrdSys::IOEvents::Channel*, void*, int) (XrdClPollerBuiltIn.cc:82)
==24945==    by 0x4BE09E29: XrdSys::IOEvents::Poller::CbkXeq(XrdSys::IOEvents::Channel*, int, int, char const*) (XrdSysIOEvents.cc:692)
==24945==    by 0x4BE0B276: XrdSys::IOEvents::PollE::Dispatch(XrdSys::IOEvents::Channel*, unsigned int) (XrdSysIOEventsPollE.icc:270)
==24945==    by 0x4BE0B449: XrdSys::IOEvents::PollE::Begin(XrdSysSemaphore*, int&, char const**) (XrdSysIOEventsPollE.icc:225)
==24945==    by 0x4BE07CE4: XrdSys::IOEvents::BootStrap::Start(void*) (XrdSysIOEvents.cc:131)
==24945==    by 0x4BE05DE7: XrdSysThread_Xeq (XrdSysPthread.cc:86)
==24945==    by 0x750AAA0: start_thread (in /lib64/libpthread-2.12.so)
==24945==
==24945== Invalid read of size 1
==24945==    at 0x4BCCB760: XrdCl::Utils::Char2Hex(unsigned char*, unsigned short) (XrdClUtils.cc:470)
==24945==    by 0x4BCF2F0B: XrdCl::XRootDTransport::ProcessLogInResp(XrdCl::HandShakeData*, XrdCl::XRootDChannelInfo*) (XrdClXRootDTransport.cc:1558)
==24945==    by 0x4BCF55A5: XrdCl::XRootDTransport::HandShakeMain(XrdCl::HandShakeData*, XrdCl::AnyObject&) (XrdClXRootDTransport.cc:390)
==24945==    by 0x4BCF5843: XrdCl::XRootDTransport::HandShake(XrdCl::HandShakeData*, XrdCl::AnyObject&) (XrdClXRootDTransport.cc:326)
==24945==    by 0x4BD50A5C: XrdCl::AsyncSocketHandler::OnReadWhileHandshaking() (XrdClAsyncSocketHandler.cc:692)
==24945==    by 0x4BD511C4: XrdCl::AsyncSocketHandler::Event(unsigned char, XrdCl::Socket*) (XrdClAsyncSocketHandler.cc:233)
==24945==    by 0x4BCE708B: (anonymous namespace)::SocketCallBack::Event(XrdSys::IOEvents::Channel*, void*, int) (XrdClPollerBuiltIn.cc:82)
==24945==    by 0x4BE09E29: XrdSys::IOEvents::Poller::CbkXeq(XrdSys::IOEvents::Channel*, int, int, char const*) (XrdSysIOEvents.cc:692)
==24945==    by 0x4BE0B276: XrdSys::IOEvents::PollE::Dispatch(XrdSys::IOEvents::Channel*, unsigned int) (XrdSysIOEventsPollE.icc:270)
==24945==    by 0x4BE0B449: XrdSys::IOEvents::PollE::Begin(XrdSysSemaphore*, int&, char const**) (XrdSysIOEventsPollE.icc:225)
==24945==    by 0x4BE07CE4: XrdSys::IOEvents::BootStrap::Start(void*) (XrdSysIOEvents.cc:131)
==24945==    by 0x4BE05DE7: XrdSysThread_Xeq (XrdSysPthread.cc:86)
==24945==  Address 0x292b1e98 is 0 bytes after a block of size 8 alloc'd
==24945==    at 0x4029BE5: realloc (in /cvmfs/cms-ib.cern.ch/nweek-02477/slc6_amd64_gcc700/external/valgrind/3.12.99-opkfni/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24945==    by 0x4BCF1887: ReAllocate (XrdClBuffer.hh:73)
==24945==    by 0x4BCF1887: XrdCl::XRootDTransport::GetBody(XrdCl::Message*, int) (XrdClXRootDTransport.cc:263)
==24945==    by 0x4BD50456: XrdCl::AsyncSocketHandler::ReadMessage(XrdCl::Message*&) (XrdClAsyncSocketHandler.cc:767)
==24945==    by 0x4BD50A18: XrdCl::AsyncSocketHandler::OnReadWhileHandshaking() (XrdClAsyncSocketHandler.cc:677)
==24945==    by 0x4BD511C4: XrdCl::AsyncSocketHandler::Event(unsigned char, XrdCl::Socket*) (XrdClAsyncSocketHandler.cc:233)
==24945==    by 0x4BCE708B: (anonymous namespace)::SocketCallBack::Event(XrdSys::IOEvents::Channel*, void*, int) (XrdClPollerBuiltIn.cc:82)
==24945==    by 0x4BE09E29: XrdSys::IOEvents::Poller::CbkXeq(XrdSys::IOEvents::Channel*, int, int, char const*) (XrdSysIOEvents.cc:692)
==24945==    by 0x4BE0B276: XrdSys::IOEvents::PollE::Dispatch(XrdSys::IOEvents::Channel*, unsigned int) (XrdSysIOEventsPollE.icc:270)
==24945==    by 0x4BE0B449: XrdSys::IOEvents::PollE::Begin(XrdSysSemaphore*, int&, char const**) (XrdSysIOEventsPollE.icc:225)
==24945==    by 0x4BE07CE4: XrdSys::IOEvents::BootStrap::Start(void*) (XrdSysIOEvents.cc:131)
==24945==    by 0x4BE05DE7: XrdSysThread_Xeq (XrdSysPthread.cc:86)
==24945==    by 0x750AAA0: start_thread (in /lib64/libpthread-2.12.so)

It appears that EOS responded to a login response with a zero-sized body, but the code here:

assume that the response size is at least 16 bytes when it does the memcpy.

If it's a protocol violation from the remote Xrootd host, then we should chuck the connection instead of reading past the end of the array.

See cms-sw/cmssw#19339 (comment) for CMS discussion.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/xrootd/xrootd","title":"xrootd/xrootd","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/xrootd/xrootd"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"[XrdCl] Read past allocated array (#530)"}],"action":{"name":"View Issue","url":"https://github.com/xrootd/xrootd/issues/530"}}}

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1