Bug#740127: marked as done (libc6-dev: reusing compiled regex causes segfault on regexec)

To: Aurelien Jarno <aurelien@aurel32.net>
Subject: Bug#740127: marked as done (libc6-dev: reusing compiled regex causes segfault on regexec)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 26 Feb 2014 09:57:09 +0000
Message-id: <[🔎] handler.740127.D740127.139340855331569.ackdone@bugs.debian.org>
References: <20140226095550.GH5346@hall.aurel32.net> <[🔎] 20140226015825.18380.66040.reportbug@servant>

Your message dated Wed, 26 Feb 2014 10:55:50 +0100
with message-id <20140226095550.GH5346@hall.aurel32.net>
and subject line Re: Bug#740127: libc6-dev: reusing compiled regex causes segfault on regexec
has caused the Debian Bug report #740127,
regarding libc6-dev: reusing compiled regex causes segfault on regexec
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
740127: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740127
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libc6-dev: reusing compiled regex causes segfault on regexec
From: Kalu <khanatalu@gmail.com>
Date: Wed, 26 Feb 2014 02:58:25 +0100
Message-id: <[🔎] 20140226015825.18380.66040.reportbug@servant>

Package: libc6-dev
Version: 2.17-97
Severity: important



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.12-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6-dev depends on:
ii  libc-dev-bin    2.17-97
ii  libc6           2.17-97
ii  linux-libc-dev  3.12.9-1

Versions of packages libc6-dev recommends:
ii  gcc [c-compiler]      4:4.8.2-2
ii  gcc-4.4 [c-compiler]  4.4.7-7
ii  gcc-4.6 [c-compiler]  4.6.4-5
ii  gcc-4.7 [c-compiler]  4.7.3-10
ii  gcc-4.8 [c-compiler]  4.8.2-16

Versions of packages libc6-dev suggests:
pn  glibc-doc     <none>
ii  manpages-dev  3.58-1

-- no debconf information

compiling the and executeing the followning causes a segfault.
compiled with "gcc-4.8 -Wall -g -std=c99 -o test main.c"
escaping the '.' with '\\.' (in regex) reduces the problem but it still exists in form of a crash on the last "non existent match"
reusing the compiled regex crashes with regexec causes the crash.
regfree and recompile evrytime works but is slow and should not be needed.

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <regex.h>
#include <sys/types.h>
#include <inttypes.h>

#define MAXIPS 512

const char* const line = "132.32.1.34:6643 132.32.1.34:6643 255.255.255.255:6643 fffff";

typedef struct {
    union {
        int32_t ipaddr;
        uint8_t ip[4];
    };
    uint16_t port;
} ip4nport_t;

void print_regerror (int errcode, regex_t *compiled) {
    size_t length = regerror (errcode, compiled, (char*)NULL, 0);
    char *buffer = (char*)malloc(length);
    (void) regerror(errcode, compiled, buffer, length);
    fprintf(stderr,"%s",buffer);
    free(buffer);
}

int main() {
    regmatch_t match[32];
    ip4nport_t proxys[MAXIPS];
    int proxyindex=0;
    regex_t regexip;
    int error=0;

    memset(match,0,sizeof(regmatch_t)*32);


    if ((error=regcomp(&regexip,"((2[0-5][0-5])|(1{0,1}[0-9]{1,2})).((2[0-5][0-5])|(1{0,1}[0-9]{1,2})).((2[0-5][0-5])|(1{0,1}[0-9]{1,2})).((2[0-5][0-5])|(1{0,1}[0-9]{1,2})):((6[0-5][0-5][0-3][0-5])|([12345]{0,1}[0-9]{1,4}))",REG_EXTENDED))) {
	    print_regerror(error,&regexip);
        return 1;
    }

    printf("subs: %"PRIu64"\n",regexip.re_nsub);
    const char* ptr = line;
    for (int ok=1; ok;) {
        ok = 0;
        printf("in:%s\n",ptr);
        error=regexec(&regexip,ptr,1,match,REG_NOTBOL|REG_NOTEOL);
        printf("err:%d\n",error);
        //regfree(&regexip);
        if (!(error)) {
            ok=1;
            if (MAXIPS<=proxyindex) {printf("max proxys\n"); continue;}
            char tmp[12];
            memset(tmp,0,12);
            memcpy(tmp, ptr + match[0].rm_so, match[0].rm_eo - match[0].rm_so);
            sscanf(tmp,"%"SCNu8".%"SCNu8".%"SCNu8".%"SCNu8":%"SCNu16,&(proxys[proxyindex].ip[0]),&(proxys[proxyindex].ip[1]),&(proxys[proxyindex].ip[2]),&(proxys[proxyindex].ip[3]),&(proxys[proxyindex].port));
            printf("%"PRIu8".%"PRIu8".%"PRIu8".%"PRIu8":%"PRIu16"\n",proxys[proxyindex].ip[0],proxys[proxyindex].ip[1],proxys[proxyindex].ip[2],proxys[proxyindex].ip[3],proxys[proxyindex].port);
            ptr += match[0].rm_eo;
            ++proxyindex;
            /*if ((error=regcomp(&regexip,"((2[0-5][0-5])|(1{0,1}[0-9]{1,2})).((2[0-5][0-5])|(1{0,1}[0-9]{1,2})).((2[0-5][0-5])|(1{0,1}[0-9]{1,2})).((2[0-5][0-5])|(1{0,1}[0-9]{1,2})):((6[0-5][0-5][0-3][0-5])|([12345]{0,1}[0-9]{1,4}))",REG_EXTENDED))) {
                print_regerror(error,&regexip);
            }*/
        } else {
            printf("no match\n");
        }
    }

    return 0;
}

--- End Message ---

--- Begin Message ---

To: Kalu <khanatalu@gmail.com>, 740127-done@bugs.debian.org
Subject: Re: Bug#740127: libc6-dev: reusing compiled regex causes segfault on regexec
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Wed, 26 Feb 2014 10:55:50 +0100
Message-id: <20140226095550.GH5346@hall.aurel32.net>
In-reply-to: <[🔎] 20140226015825.18380.66040.reportbug@servant>
References: <[🔎] 20140226015825.18380.66040.reportbug@servant>

On Wed, Feb 26, 2014 at 02:58:25AM +0100, Kalu wrote:
> Package: libc6-dev
> Version: 2.17-97
> Severity: important
> 
> 
> 
> -- System Information:
> Debian Release: jessie/sid
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 3.12-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages libc6-dev depends on:
> ii  libc-dev-bin    2.17-97
> ii  libc6           2.17-97
> ii  linux-libc-dev  3.12.9-1
> 
> Versions of packages libc6-dev recommends:
> ii  gcc [c-compiler]      4:4.8.2-2
> ii  gcc-4.4 [c-compiler]  4.4.7-7
> ii  gcc-4.6 [c-compiler]  4.6.4-5
> ii  gcc-4.7 [c-compiler]  4.7.3-10
> ii  gcc-4.8 [c-compiler]  4.8.2-16
> 
> Versions of packages libc6-dev suggests:
> pn  glibc-doc     <none>
> ii  manpages-dev  3.58-1
> 
> -- no debconf information
> 
> compiling the and executeing the followning causes a segfault.
> compiled with "gcc-4.8 -Wall -g -std=c99 -o test main.c"
> escaping the '.' with '\\.' (in regex) reduces the problem but it still exists in form of a crash on the last "non existent match"
> reusing the compiled regex crashes with regexec causes the crash.
> regfree and recompile evrytime works but is slow and should not be needed.
> 
> #include <stdlib.h>
> #include <stdio.h>
> #include <string.h>
> #include <regex.h>
> #include <sys/types.h>
> #include <inttypes.h>
> 
> #define MAXIPS 512
> 
> const char* const line = "132.32.1.34:6643 132.32.1.34:6643 255.255.255.255:6643 fffff";
> 
> typedef struct {
>     union {
>         int32_t ipaddr;
>         uint8_t ip[4];
>     };
>     uint16_t port;
> } ip4nport_t;
> 
> void print_regerror (int errcode, regex_t *compiled) {
>     size_t length = regerror (errcode, compiled, (char*)NULL, 0);
>     char *buffer = (char*)malloc(length);
>     (void) regerror(errcode, compiled, buffer, length);
>     fprintf(stderr,"%s",buffer);
>     free(buffer);
> }
> 
> int main() {
>     regmatch_t match[32];
>     ip4nport_t proxys[MAXIPS];
>     int proxyindex=0;
>     regex_t regexip;
>     int error=0;
> 
>     memset(match,0,sizeof(regmatch_t)*32);
> 
> 
>     if ((error=regcomp(&regexip,"((2[0-5][0-5])|(1{0,1}[0-9]{1,2})).((2[0-5][0-5])|(1{0,1}[0-9]{1,2})).((2[0-5][0-5])|(1{0,1}[0-9]{1,2})).((2[0-5][0-5])|(1{0,1}[0-9]{1,2})):((6[0-5][0-5][0-3][0-5])|([12345]{0,1}[0-9]{1,4}))",REG_EXTENDED))) {
> 	    print_regerror(error,&regexip);
>         return 1;
>     }
> 
>     printf("subs: %"PRIu64"\n",regexip.re_nsub);
>     const char* ptr = line;
>     for (int ok=1; ok;) {
>         ok = 0;
>         printf("in:%s\n",ptr);
>         error=regexec(&regexip,ptr,1,match,REG_NOTBOL|REG_NOTEOL);
>         printf("err:%d\n",error);
>         //regfree(&regexip);
>         if (!(error)) {
>             ok=1;
>             if (MAXIPS<=proxyindex) {printf("max proxys\n"); continue;}
>             char tmp[12];
>             memset(tmp,0,12);

You create a temporary buffer of 12 bytes.

>             memcpy(tmp, ptr + match[0].rm_so, match[0].rm_eo - match[0].rm_so);

But copy up to 20 bytes in it (for "255.255.255.255:6643")

Closing the bug as invalid.

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

--- End Message ---

Reply to:

References:
- Bug#740127: libc6-dev: reusing compiled regex causes segfault on regexec
  - From: Kalu <khanatalu@gmail.com>

Prev by Date: Bug#740127: libc6-dev: reusing compiled regex causes segfault on regexec
Next by Date: Bug#740158: [libc6] Libc6, related packages smoked again
Previous by thread: Bug#740127: libc6-dev: reusing compiled regex causes segfault on regexec
Next by thread: Bug#740158: [libc6] Libc6, related packages smoked again
Index(es):
- Date
- Thread