--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libc6: an interrupted msgrcv() call seems to corrupt sscanf behaviour
- From: Frederic Boiteux <fboiteux@calistel.com>
- Date: Fri, 25 May 2007 15:27:33 +0200
- Message-id: <20070525132733.29853.32526.reportbug@Prem1s.calistel.com>
Package: libc6
Version: 2.3.6.ds1-13
Severity: normal
Hello,
I've found a behaviour difference in a C program, running correctly on
Woody and don't in Sarge or Etch systems.
The problem is in a "%n" converter sometimes not honoured as it should
be, this only after an interrupted IPC message receive.
I've built a testcase (see end of report) to let others reproduce it.
Running the original faulty program with electric-fence library
produced a core with a memory fault in sscanf(), but I didn't reproduce
it with the testcase.
I don't have a Sid computer to test it, but I'll try to build a chroot
to do this.
Here is the C program testcase.c :
/*
Test case for a possible glibc bug.
Frédéric Boiteux <fboiteux@calistel.com>
Scan two times the same string for each word with a sscanf(). Between
them, wait for an IPC message using msgrcv() ; someone should
interrupt this message receive using SIGALRM signal, like with
command : killall -ALRM testcase
The second scan fails, the '%n' converter isn't honoured !
Tested on i386 architecture :
O.K. on Debian GNU/Linux 3.0 (Woody), libc6 version 2.2.5-11.8
Problem on Debian GNU/Linux 3.1 (Sarge), libc6 version 2.3.2.ds1-22sarge6
Problem on Debian GNU/Linux 3.0 (Etch), libc6 version 2.3.6.ds1-13
Sample output :
string='Hello world!!!!', res=1, word='Hello', n=6
string='world!!!!', res=1, word='world!!!!', n=9
string='', res=-1, word='world!!!!', n=-1
msgrcv()=-1, errno=4
string='Hello world!!!!', res=1, word='Hello', n=6
string='world!!!!', res=1, word='world!!!!', n=-1
Problem!
*/
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <errno.h>
#include <signal.h>
#include <stdio.h>
struct msgbuf {
long int mtype; /* type of received/sent message */
char mtext[1]; /* text of the message */
};
void scan(char *string)
{
int n, res;
char word[100];
do {
n = -1;
res = sscanf(string, "%s %n", word, &n);
printf("string='%s', res=%d, word='%s', n=%d\n",
string, res, word, n);
if (n >= 0) string += n;
if ((res == 1) && (n < 0)) {
fprintf(stderr, "Problem!\n");
break;
}
} while (res == 1);
}
void nop(int sig) { }
void setsighandler(void)
{
struct sigaction action;
// set a no-op handler on SIGALRM signal
sigemptyset(&action.sa_mask);
action.sa_flags = 0;
action.sa_handler = nop;
if (sigaction(SIGALRM, &action, NULL) == -1)
perror("Err in fonction sigaction !\n");
}
void msget()
{
struct msgbuf msgp;
int qid;
int res;
// create a message queue
if ((qid = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) < 0)
perror("problem in msgget()");
// wait for a message
res = msgrcv(qid, &msgp, 1, 0, 0);
// after signal receive, should return -1 and errno=4 (EINTR)
...
printf("msgrcv()=%d, errno=%d\n", res, errno);
}
int main(void)
{
scan("Hello world!!!!"); // expected result
setsighandler();
msget();
scan("Hello world!!!!"); // fails
return 0;
}
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-dev
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)
Versions of packages libc6 depends on:
ii tzdata 2007b-1 Time Zone and Daylight Saving Time
libc6 recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
- To: Frederic Boiteux <fboiteux@calistel.com>
- Cc: 426000-done@bugs.debian.org
- Subject: Re: libc6: an interrupted msgrcv() call seems to corrupt sscanf behaviour
- From: Aurelien Jarno <aurelien@aurel32.net>
- Date: Mon, 30 Jul 2007 17:32:59 +0200
- Message-id: <20070730153257.GA10930@farad.aurel32.net>
- In-reply-to: <20070525132733.29853.32526.reportbug@Prem1s.calistel.com>
- References: <20070525132733.29853.32526.reportbug@Prem1s.calistel.com>
Version: 2.6-5
On Fri, May 25, 2007 at 03:27:33PM +0200, Frederic Boiteux wrote:
> Package: libc6
> Version: 2.3.6.ds1-13
> Severity: normal
>
>
> Hello,
>
> I've found a behaviour difference in a C program, running correctly on
> Woody and don't in Sarge or Etch systems.
>
> The problem is in a "%n" converter sometimes not honoured as it should
> be, this only after an interrupted IPC message receive.
>
> I've built a testcase (see end of report) to let others reproduce it.
> Running the original faulty program with electric-fence library
> produced a core with a memory fault in sscanf(), but I didn't reproduce
> it with the testcase.
>
> I don't have a Sid computer to test it, but I'll try to build a chroot
> to do this.
>
This bug has been fixed in version 2.6-5. Closing the bug.
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' aurel32@debian.org | aurelien@aurel32.net
`- people.debian.org/~aurel32 | www.aurel32.net
--- End Message ---