Re: segfault in _gnutls_recv_server_certificate on FreeBSD (GnuTLS/2.9.10)

[Christian Grothoff]

On Saturday, February 12, 2011 07:49:37 pm Nikos Mavrogiannopoulos wrote:
> On 02/11/2011 10:22 AM, Christian Grothoff wrote:
> > Hi!
> > 
> > We've had a report of a segfault on FreeBSD in the GNU libmicrohttpd
> > (MHD) bugtracker.  I don't see how MHD could be at fault here, I suspect
> > this is a GnuTLS issue:
> > https://gnunet.org/bugs/view.php?id=1603
> > Please let me know if you find out or know anything about this issue...
> 
> Could you please provide the information on list? The site you
> reference requires login.
> 
> regards,
> Nikos

Sure.


0001603: SEGFAULT in tls_session_time_out_test
Description     FreeBSD 8.1 i386
libmicrohttpd latest SVN version

curl -V:
curl 7.21.1 (i386-unknown-freebsd8.1) libcurl/7.21.1 GnuTLS/2.9.10 zlib/1.2.3
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s rtsp smtp smtps 
telnet tftp
Features: IPv6 Largefile NTLM SSL libz
Additional Information  make check-TESTS
curl version: libcurl/7.21.1 GnuTLS/2.9.10 zlib/1.2.3
curl_easy_perform failed: `Timeout was reached'
Error: received handshake message out of context
PASS: tls_daemon_options_test
PASS: mhds_multi_daemon_test
PASS: mhds_get_test
PASS: mhds_get_test_select
PASS: mhds_session_info_test
PASS: tls_thread_mode_test
PASS: tls_multi_thread_mode_test
Segmentation fault (core dumped)
FAIL: tls_session_time_out_test
PASS: tls_authentication_test
======================================
1 of 9 tests failed
Please report to address@hidden
======================================
*** Error code 1

Stop in /root/libmicrohttpd/src/testcurl/https.
*** Error code 1


address@hidden ~/libmicrohttpd/src/testcurl/https]# valgrind 
.libs/tls_session_time_out_test
==6671== Memcheck, a memory error detector
==6671== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==6671== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==6671== Command: .libs/tls_session_time_out_test
==6671==
vex x86->IR: unhandled instruction bytes: 0xF4 0xED 0xBF 0xBE
==6671== Invalid read of size 1
==6671== at 0xBEBFECDB: ???
==6671== by 0xCFCA1: _gnutls_recv_server_certificate (in 
/usr/local/lib/libgnutls.so.42)
==6671== by 0xCC66D: _gnutls_handshake_client (in 
/usr/local/lib/libgnutls.so.42)
==6671== by 0xCD377: gnutls_handshake (in /usr/local/lib/libgnutls.so.42)
==6671== by 0x804915F: main (tls_session_time_out_test.c:68)
==6671== Address 0xb9bec0ab is not stack'd, malloc'd or (recently) free'd
==6671==
==6671==
==6671== Process terminating with default action of signal 11 (SIGSEGV): 
dumping core
==6671== Access not within mapped region at address 0xB9BEC0AB
==6671== at 0xBEBFECDB: ???
==6671== by 0xCFCA1: _gnutls_recv_server_certificate (in 
/usr/local/lib/libgnutls.so.42)
==6671== by 0xCC66D: _gnutls_handshake_client (in 
/usr/local/lib/libgnutls.so.42)
==6671== by 0xCD377: gnutls_handshake (in /usr/local/lib/libgnutls.so.42)
==6671== by 0x804915F: main (tls_session_time_out_test.c:68)
==6671== If you believe this happened as a result of a stack
==6671== overflow in your program's main thread (unlikely but
==6671== possible), you can try to increase the size of the
==6671== main thread stack using the --main-stacksize= flag.
==6671== The main thread stack size used in this run was 16777216.
==6671==
==6671== HEAP SUMMARY:
==6671== in use at exit: 105,213 bytes in 1,454 blocks
==6671== total heap usage: 11,767 allocs, 10,313 frees, 671,300 bytes 
allocated
==6671==
==6671== LEAK SUMMARY:
==6671== definitely lost: 1,024 bytes in 1 blocks
==6671== indirectly lost: 0 bytes in 0 blocks
==6671== possibly lost: 0 bytes in 0 blocks
==6671== still reachable: 104,189 bytes in 1,453 blocks
==6671== suppressed: 0 bytes in 0 blocks
==6671== Rerun with --leak-check=full to see details of leaked memory
==6671==
==6671== For counts of detected and suppressed errors, rerun with: -v
==6671== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Killed: 9


Thanks!

Christian