[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #37292] http module 'double free's, breaks malloc and can cause SYN
From: |
Philip |
Subject: |
[bug #37292] http module 'double free's, breaks malloc and can cause SYN-ACK errors |
Date: |
Fri, 07 Sep 2012 08:52:33 +0000 |
User-agent: |
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 |
URL:
<http://savannah.gnu.org/bugs/?37292>
Summary: http module 'double free's, breaks malloc and can
cause SYN-ACK errors
Project: GNU GRUB
Submitted by: philip007
Submitted on: Fri 07 Sep 2012 08:52:32 AM GMT
Category: Network
Severity: Major
Priority: 5 - Normal
Item Group: Software Error
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release:
Release: Bazaar - trunk
Reproducibility: Every Time
Planned Release: None
_______________________________________________________
Details:
Running on grub-trunk rev 4574.
Attempting to: PXE boot Grub to boot various OS over NFS. Need
load_env/save_env to access env between boots on diskless systems.
Problem: save_env can only store to disk.
Workaround: Use (http) module as workaround and script my way out of it server
side.
Bug report: http module "double free's" or "alloc magic is broken" on "cat"
and "load_env".
How to setup:
PXE boot blobs constructed by grub-mknetdir. No grub.cfg config file is in
use. need tftp and http and working network.
How to reproduce:
PowerOn Client: will tftp core.0, some modules and *.lst files.
In client console enter:
grub> insmod http
grub> cat (http)/somefilewhichexist
3/5 times result in "Double Free at 0x1ffd8b60".
1/5 times result in "Alloc magic is broken at 0x1ffd65d0".
1/5 times result in "error: connection timeout".
cat always dumps file output (expect in last case), so I suspect the double
free bug lies in the termination/closure of the http connection/module.
The last error occur because http module always use src port 21550. If httpd
has not yet terminated its socket, an ACK on the sequence number from last
cycle is re-sent. This cause http module to time out as no valid SYN-ACK is
received. I suggest randomizing the source port number.
Attached is a pcap file with two cycles. First cycle has resulted in a "Double
free", second cycle resulted in the "connection timeout" case.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 07 Sep 2012 08:52:32 AM GMT Name: 50.pcap Size: 459kB By:
philip007
<http://savannah.gnu.org/bugs/download.php?file_id=26491>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?37292>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug #37292] http module 'double free's, breaks malloc and can cause SYN-ACK errors,
Philip <=