[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#426000: marked as done (libc6: an interrupted msgrcv() call seems to corrupt sscanf behaviour)

Your message dated Mon, 30 Jul 2007 17:32:59 +0200
with message-id <20070730153257.GA10930@farad.aurel32.net>
and subject line libc6: an interrupted msgrcv() call seems to corrupt sscanf behaviour
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libc6
Version: 2.3.6.ds1-13
Severity: normal


  Hello,

I've found a behaviour difference in a C program, running correctly on 
Woody and don't in Sarge or Etch systems.

The problem is in a "%n" converter sometimes not honoured as it should 
be, this only after an interrupted IPC message receive.

I've built a testcase (see end of report) to let others reproduce it.
Running the original faulty program with electric-fence library
produced a core with a memory fault in sscanf(), but I didn't reproduce
it with the testcase.

I don't have a Sid computer to test it, but I'll try to build a chroot 
to do this.

Here is the C program testcase.c :


/*
  Test case for a possible glibc bug.
  Frédéric Boiteux <fboiteux@calistel.com>

  Scan two times the same string for each word with a sscanf(). Between
  them, wait for an IPC message using msgrcv() ; someone should
  interrupt this message receive using SIGALRM signal, like with
  command : killall -ALRM testcase
  The second scan fails, the '%n' converter isn't honoured !

  Tested on i386 architecture :
  O.K.    on Debian GNU/Linux 3.0 (Woody), libc6 version 2.2.5-11.8
  Problem on Debian GNU/Linux 3.1 (Sarge), libc6 version 2.3.2.ds1-22sarge6
  Problem on Debian GNU/Linux 3.0 (Etch),  libc6 version 2.3.6.ds1-13


  Sample output :
string='Hello world!!!!', res=1, word='Hello', n=6
string='world!!!!', res=1, word='world!!!!', n=9
string='', res=-1, word='world!!!!', n=-1
msgrcv()=-1, errno=4
string='Hello world!!!!', res=1, word='Hello', n=6
string='world!!!!', res=1, word='world!!!!', n=-1
Problem!

*/


#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/msg.h>

#include <errno.h>
#include <signal.h>
#include <stdio.h>


struct msgbuf {
        long int mtype;             /* type of received/sent message */
        char mtext[1];              /* text of the message */
};


void scan(char *string)
{
        int n, res;
        char word[100];

        do {
                n = -1;
                res = sscanf(string, "%s %n", word, &n);
                printf("string='%s', res=%d, word='%s', n=%d\n",
                       string, res, word, n);
                if (n >= 0) string += n;
                if ((res == 1) && (n < 0)) {
                        fprintf(stderr, "Problem!\n");
                        break;
                }
        } while (res == 1);
}

void nop(int sig) { }

void setsighandler(void)
{
        struct sigaction action;

        // set a no-op handler on SIGALRM signal
        sigemptyset(&action.sa_mask);
        action.sa_flags    = 0;
        action.sa_handler  = nop;
        if (sigaction(SIGALRM, &action, NULL) == -1)
                perror("Err in fonction sigaction !\n");
}

void msget()
{
        struct msgbuf msgp;
        int qid;
        int res;

        // create a message queue
	if ((qid = msgget(IPC_PRIVATE, 0666 | IPC_CREAT)) < 0)
                perror("problem in msgget()");

        // wait for a message
	res = msgrcv(qid, &msgp, 1, 0, 0);
        // after signal receive, should return -1 and errno=4 (EINTR) 
...
        printf("msgrcv()=%d, errno=%d\n", res, errno);
}

int main(void)
{
        scan("Hello world!!!!"); // expected result

        setsighandler();
        msget();

        scan("Hello world!!!!"); // fails

        return 0;
}


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-dev
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

Versions of packages libc6 depends on:
ii  tzdata                        2007b-1    Time Zone and Daylight Saving Time

libc6 recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 2.6-5

On Fri, May 25, 2007 at 03:27:33PM +0200, Frederic Boiteux wrote:
> Package: libc6
> Version: 2.3.6.ds1-13
> Severity: normal
> 
> 
>   Hello,
> 
> I've found a behaviour difference in a C program, running correctly on 
> Woody and don't in Sarge or Etch systems.
> 
> The problem is in a "%n" converter sometimes not honoured as it should 
> be, this only after an interrupted IPC message receive.
> 
> I've built a testcase (see end of report) to let others reproduce it.
> Running the original faulty program with electric-fence library
> produced a core with a memory fault in sscanf(), but I didn't reproduce
> it with the testcase.
> 
> I don't have a Sid computer to test it, but I'll try to build a chroot 
> to do this.
> 

This bug has been fixed in version 2.6-5. Closing the bug.

-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net

--- End Message ---
Reply to: