Opened 4 years ago

Closed 4 years ago

#5044 closed Bug (duplicate)

SIGSEGV fault in uTP code

Reported by: reardon Owned by:
Priority: Normal Milestone: None Set
Component: Transmission Version: 2.61
Severity: Normal Keywords:
Cc:

Description

Been seeing crashes over the last several weeks. I haven't looked at further but culprit seems to be in uTP code. In this case, the problem is 'conn' getting trashed somewhere in UTP_ProcessIncoming(). Looking at the code, I don't see how this could happen. It must be conn->selective_ack() just prior which is corrupting the stack, since selack_ptr was in fact non-NULL. 'syn' is also changed, oddly.

The packet itself is at end of gdb output

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff6082700 (LWP 17643)]
[New Thread 0x7ffff5881700 (LWP 17644)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff6082700 (LWP 17643)]
UTP_ProcessIncoming (conn=0x7fff00006c75, conn@entry=0x7ffff3ba7b90,
    packet=packet@entry=0x7ffff6080dd0 "!\001[+\306\n\366G\216M}\023\006?`)X\236lt", len=len@entry=27, syn=97, syn@entry=false)
    at utp.cpp:2111
2111            if (conn->state == CS_CONNECTED_FULL && conn->is_writable(conn->get_packet_size())) {

(gdb) bt
#0  UTP_ProcessIncoming (conn=0x7fff00006c75, conn@entry=0x7ffff3ba7b90, 
    packet=packet@entry=0x7ffff6080dd0 "...", len=len@entry=27, syn=97, syn@entry=false)
    at utp.cpp:2111
#1  0x0000000000456842 in UTP_IsIncomingUTP (incoming_proc=incoming_proc@entry=0x41e550 <incoming>, 
    send_to_proc=send_to_proc@entry=0x41e630 <tr_utpSendTo>, send_to_userdata=send_to_userdata@entry=0x6740f0, 
    buffer=buffer@entry=0x7ffff6080dd0 "...", len=len@entry=27, to=0x7ffff6080d50, 
    tolen=tolen@entry=16) at utp.cpp:2580
#2  0x000000000041e6d4 in tr_utpPacket (buf=buf@entry=0x7ffff6080dd0 "!\001[+\306\n\366G\216M}\023\006?`)X\236lt", 
    buflen=buflen@entry=27, from=from@entry=0x7ffff6080d50, fromlen=16, ss=ss@entry=0x6740f0) at tr-utp.c:179
#3  0x000000000041dc44 in event_callback (s=<optimized out>, type=<optimized out>, sv=0x6740f0) at tr-udp.c:225
#4  0x00007ffff799f0c4 in event_process_active_single_queue (activeq=0x676760, base=0x674930) at event.c:1346
#5  event_process_active (base=<optimized out>) at event.c:1416
#6  event_base_loop (base=base@entry=0x674930, flags=flags@entry=0) at event.c:1617
#7  0x00007ffff79a0187 in event_base_dispatch (event_base=event_base@entry=0x674930) at event.c:1446
#8  0x000000000041eef0 in libeventThreadFunc (veh=0x674770) at trevent.c:248
#9  0x000000000041017a in ThreadFunc (_t=0x6747f0) at platform.c:118
#10 0x00007ffff6a58b50 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#11 0x00007ffff67a370d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#12 0x0000000000000000 in ?? ()

(gdb) p conn
$10 = (UTPSocket *) 0x7fff00006c75
(gdb) p *conn
Cannot access memory at address 0x7fff00006c75
(gdb) p selack_ptr
$11 = (const byte *) 0x7ffff6080de6 "\200"
(gdb) x/27x packet
0x7ffff6080dd0: 0x21    0x01    0x5b    0x2b    0xc6    0x0a    0xf6    0x47
0x7ffff6080dd8: 0x8e    0x4d    0x7d    0x13    0x06    0x3f    0x60    0x29
0x7ffff6080de0: 0x58    0x9e    0x6c    0x74    0x00    0x05    0x80    0x00
0x7ffff6080de8: 0x00    0x04    0x70


Change History (2)

comment:2 Changed 4 years ago by livings124

  • Resolution set to duplicate
  • Status changed from new to closed

I'm going to close this as a duplicate of #5002. This information is quite useful, though.

Note: See TracTickets for help on using tickets.