1.2b2 SIGSEGV

squid 1.2b2 compiled with ASYNC_IO turned on, and virtual accel turned
on gave....

(gdb) where
#0 0x40089bce in strlen (str=0x72766206 <Address 0x72766206 out of bounds>)
#1 0x42 in ?? ()
#2 0x806d0ef in clientReadRequest (fd=66, data=0x81c09d0) at icp.c:1819
#3 0x8058a13 in comm_select (sec=1) at comm.c:1060
#4 0x8071946 in main (argc=1, argv=0xbffffd7c) at main.c:658
#5 0x804a17e in ___crt_dummy__ ()

now..

(gdb) up
#1 0x42 in ?? ()
(gdb) up
#2 0x806d0ef in clientReadRequest (fd=66, data=0x81c09d0) at icp.c:1819
1819 tmp = xstrdup(conn->in.buf + http->req_sz);
(gdb) print *conn
$17 = {fd = 779513703, in = {
    buf = 0x7276612f <Address 0x7276612f out of bounds>, offset = 1936089176,
    size = 1701670760}, chr = 0x6d74682e, peer = {sin_family = 2573,
    sin_port = 29525, sin_addr = {s_addr = 1093497445}, __pad = "gent: Mo"},
  me = {sin_family = 27002, sin_port = 27756, sin_addr = {s_addr = 775106401},
    __pad = "0 (Win95"}, log_addr = {s_addr = 692658235}, ident = {
    fd = 1866992141,
    ident = "st: www.faa.gov.\r\nAccept: image/gif, image/x-xbitmap, image/jpeg", callback = 0x6d69202c <ypall_foreach+760858776>, state = 795174753},
  commWriteState = 0x65706a70, nrequests = 218762599, persistent = 10,
  defer = {n = 0, until = 0}}

So, it's been overwritten with something pretty wild! (looks like a
request copy over the top of it or something?)

but:

(gdb) print len
$15 = 4095
(gdb) print size
$16 = 215

So it was valid when this function was entered (see source), so it was
ok at least up to the point that read() was called.

So the culprits are either (from my reading of the source):
        conn->in.buf was screwed, and read() did the dirty work.
or
        parseHttpRequest() just blew it all away.

But:
(gdb) print http
$18 = (clientHttpRequest *) 0x81a5cd8
(gdb) print *http
$19 = {conn = 0x81c09d0, request = 0x0,
  url = 0x81d4bc8 "http://www.faa.gov./gif/pdfico2.gif",
  log_url = 0x8189440 "http://www.faa.gov./gif/pdfico2.gif", out = {buf = 0x0,
    offset = 0, size = 0}, req_sz = 215, entry = 0x0, old_entry = 0x0,
  log_type = LOG_TAG_NONE, http_code = 0, accel = 0, start = {
    tv_sec = 878112620, tv_usec = 469901}, http_ver = 1, redirect_state = 0,
  acl_checklist = 0x0, next = 0x0, al = {url = 0x0, http = {method = 0,
      code = 0, content_type = 0x0}, icp = {opcode = ICP_OP_INVALID}, cache = {
      caddr = {s_addr = 0}, size = 0, code = LOG_TAG_NONE, msec = 0,
      ident = 0x0}, hier = {code = HIER_NONE,
      host = '\000' <repeats 127 times>, icp = {start = {tv_sec = 0,
          tv_usec = 0}, stop = {tv_sec = 0, tv_usec = 0}, n_sent = 0,
        n_recv = 0, n_replies_expected = 0, timeout = 0, w_rtt = 0,
        p_rtt = 0}}, headers = {request = 0x0, reply = 0x0}, private = {
      method_str = 0x0}}}
(gdb) print method
$20 = 1
(gdb) print parser_return_code
$21 = 1
(gdb) print *headers
$22 = 82 'R'
(gdb) print headers
$23 = 0x81c09b8 "Referer: http://www.faa.gov./avrX`fshome.htm\r\nUser-Agent: Mozilla/3.0 (Win95; I)\r\nHost: www.faa.gov.\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg\r\n\r\n"
(gdb) print headers_sz
$24 = 165

which seems to imply that conn->in.buf was valid when parseHttpRequest
was called.
Received on Tue Jul 29 2003 - 13:15:44 MDT