Crash in sendto_kdc.c

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Crash in sendto_kdc.c

mogasale.tech
Hi Team,



This is in continuation with below threads:

              1.
http://mailman.mit.edu/pipermail/kfwdev/2018-February/date.html

              2. http://mailman.mit.edu/pipermail/kfwdev/2018-May/date.html



We could get a crash dump for the scenarios explained above. From the dump,
below are the observations:

   1. The crash is happening within “service_tcp_write” function of
   “sendto_kdc.c”, while executing the if condition “if ((size_t)nwritten <
   SG_LEN(sgp))”.
   2. The issue doesn’t happen for all the requests, but is frequent in a
   specific environment. We have not been able to determine a specific pattern
   yet.
   3. The observed values for relevant fields/variables from one of the
   dumps are as below, all the dumps have the values in same pattern:

conn.state = WRITING

conn.addr.transport = TCP

conn.addr.family = 2

conn.addr.len = 16

conn.out.sgbuf[0] = {len = 4, buff = ‘\0’}

conn.out.sgbuf[1] = {len = 1882, buff = ‘some data’}

conn.out.sgp = {len=??? buf=??? }

conn.out.sg_count = -10339

conn.out.msg_len_buf = ""

nwritten = 3199132154



From the values above, it looks similar to the second possibility suggested
in http://mailman.mit.edu/pipermail/kfwdev/2018-February/000892.html.
However, we do not have any clue yet on what could be causing this.



Any help on this will be appreciated. Thanks


PS: We are using krb5 tag version 1.16-final (
https://github.com/krb5/krb5/blob/krb5-1.16-final/src/lib/krb5/os/sendto_kdc.c
)



Regards,

Rama
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Crash in sendto_kdc.c

Greg Hudson
[Removing kfwdev from the CC line; we no longer have a separate Windows
development team, so just krbdev is fine.]

On 10/04/2018 08:47 AM, mogasale.tech wrote:
> conn.out.sgbuf[0] = {len = 4, buff = ‘\0’}
> conn.out.sgbuf[1] = {len = 1882, buff = ‘some data’}
> conn.out.sgp = {len=??? buf=??? }
> conn.out.sg_count = -10339
> conn.out.msg_len_buf = ""
> nwritten = 3199132154

Thanks for the additional information.  I think I finally know what is
going wrong here: SOCKET_WRITEV() is trying to return -1, but due to the
intricacies of the C type system, it is being treated as 2^32-1 on
64-bit Windows.

The fix I would like to try is to edit src/include/port-sockets.h and
change the first definition of SOCKET_WRITEV to:

#define SOCKET_WRITEV(FD, SG, LEN, TMP)                         \
     (WSASend((FD), (SG), (LEN), &(TMP), 0, 0, 0) ?              \
      (ssize_t)-1 : (ssize_t)(TMP))

where the change is the addition of the (ssize_t) casts.

Without the casts, the type of the conditional expression is unsigned
32-bit, because -1 has type int and TMP has type DWORD, and unsigned
wins over signed for integer types of equal size.  The quantity -1 in
that type has the value 2^32-1.  When that value is cast to ssize_t
(signed 64-bit on 64-bit Windows), it retains the large positive value
instead of reverting back to -1 as it would on 32-bit Windows.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Crash in sendto_kdc.c

mogasale.tech
Thanks Greg. Will try that out and confirm.

Regards,
Rama

On Fri, 5 Oct 2018 at 01:31, Greg Hudson <[hidden email]> wrote:

> [Removing kfwdev from the CC line; we no longer have a separate Windows
> development team, so just krbdev is fine.]
>
> On 10/04/2018 08:47 AM, mogasale.tech wrote:
> > conn.out.sgbuf[0] = {len = 4, buff = ‘\0’}
> > conn.out.sgbuf[1] = {len = 1882, buff = ‘some data’}
> > conn.out.sgp = {len=??? buf=??? }
> > conn.out.sg_count = -10339
> > conn.out.msg_len_buf = ""
> > nwritten = 3199132154
>
> Thanks for the additional information.  I think I finally know what is
> going wrong here: SOCKET_WRITEV() is trying to return -1, but due to the
> intricacies of the C type system, it is being treated as 2^32-1 on
> 64-bit Windows.
>
> The fix I would like to try is to edit src/include/port-sockets.h and
> change the first definition of SOCKET_WRITEV to:
>
> #define SOCKET_WRITEV(FD, SG, LEN, TMP)                         \
>      (WSASend((FD), (SG), (LEN), &(TMP), 0, 0, 0) ?              \
>       (ssize_t)-1 : (ssize_t)(TMP))
>
> where the change is the addition of the (ssize_t) casts.
>
> Without the casts, the type of the conditional expression is unsigned
> 32-bit, because -1 has type int and TMP has type DWORD, and unsigned
> wins over signed for integer types of equal size.  The quantity -1 in
> that type has the value 2^32-1.  When that value is cast to ssize_t
> (signed 64-bit on 64-bit Windows), it retains the large positive value
> instead of reverting back to -1 as it would on 32-bit Windows.
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Crash in sendto_kdc.c

mogasale.tech
In reply to this post by Greg Hudson
Hi Greg,

Sorry for delayed confirmation, it took a while for us to catch hold of the
specific environments where we used to see these issues. Recently we could
test our application with the below suggested fix on environments where we
used to see regular crashes. With this fix, the issue looks resolved and
application is now running smooth with no crashes. Thanks for the valuable
suggestions.

I also see that the fix is already incorporated as part of krb5-1.17. Will
go ahead and use that. Thanks again.

Regards,
Rama

On Fri, 5 Oct 2018 at 01:31, Greg Hudson <[hidden email]> wrote:

> [Removing kfwdev from the CC line; we no longer have a separate Windows
> development team, so just krbdev is fine.]
>
> On 10/04/2018 08:47 AM, mogasale.tech wrote:
> > conn.out.sgbuf[0] = {len = 4, buff = ‘\0’}
> > conn.out.sgbuf[1] = {len = 1882, buff = ‘some data’}
> > conn.out.sgp = {len=??? buf=??? }
> > conn.out.sg_count = -10339
> > conn.out.msg_len_buf = ""
> > nwritten = 3199132154
>
> Thanks for the additional information.  I think I finally know what is
> going wrong here: SOCKET_WRITEV() is trying to return -1, but due to the
> intricacies of the C type system, it is being treated as 2^32-1 on
> 64-bit Windows.
>
> The fix I would like to try is to edit src/include/port-sockets.h and
> change the first definition of SOCKET_WRITEV to:
>
> #define SOCKET_WRITEV(FD, SG, LEN, TMP)                         \
>      (WSASend((FD), (SG), (LEN), &(TMP), 0, 0, 0) ?              \
>       (ssize_t)-1 : (ssize_t)(TMP))
>
> where the change is the addition of the (ssize_t) casts.
>
> Without the casts, the type of the conditional expression is unsigned
> 32-bit, because -1 has type int and TMP has type DWORD, and unsigned
> wins over signed for integer types of equal size.  The quantity -1 in
> that type has the value 2^32-1.  When that value is cast to ssize_t
> (signed 64-bit on 64-bit Windows), it retains the large positive value
> instead of reverting back to -1 as it would on 32-bit Windows.
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev