[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #61277] wget crashes when downloading from redirect to ftp
|
From: |
Michal Ruprich |
|
Subject: |
[bug #61277] wget crashes when downloading from redirect to ftp |
|
Date: |
Mon, 4 Oct 2021 07:55:22 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 |
URL:
<https://savannah.gnu.org/bugs/?61277>
Summary: wget crashes when downloading from redirect to ftp
Project: GNU Wget
Submitted by: formaiko
Submitted on: Mon 04 Oct 2021 11:55:20 AM UTC
Category: Crash/Freeze/Infloop
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Name: Michal Ruprich
Originator Email:
Open/Closed: Open
Release: None
Discussion Lock: Any
Operating System: GNU/Linux
Reproducibility: Every Time
Fixed Release: None
Planned Release: None
Regression: No
Work Required: None
Patch Included: No
_______________________________________________________
Details:
When downloading multiple files from
http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/
wget-1.21.1 on Fedora crashes with a segfault:
# wget -c
http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc1.iso
http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso
--2021-10-04 07:36:51--
http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc1.iso
Resolving archive.download.redhat.com (archive.download.redhat.com)...
10.4.204.83
Connecting to archive.download.redhat.com
(archive.download.redhat.com)|10.4.204.83|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location:
ftp://legacy.redhat.com//pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc1.iso
[following]
--2021-10-04 07:36:52--
ftp://legacy.redhat.com//pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc1.iso
=> ‘valhalla-i386-disc1.iso’
Resolving legacy.redhat.com (legacy.redhat.com)... 10.4.204.83
Connecting to legacy.redhat.com (legacy.redhat.com)|10.4.204.83|:21...
connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /pub/redhat/linux/7.3/en/iso/i386 ... done.
==> SIZE valhalla-i386-disc1.iso ... 668499968
==> PASV ... done. ==> RETR valhalla-i386-disc1.iso ... done.
Length: 668499968 (638M) (unauthoritative)
valhalla-i386-disc1.iso
100%[================================================>] 637.53M 44.8MB/s
in 18s
2021-10-04 07:37:10 (36.3 MB/s) - ‘valhalla-i386-disc1.iso’ saved
[668499968]
--2021-10-04 07:37:10--
http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso
Connecting to archive.download.redhat.com
(archive.download.redhat.com)|10.4.204.83|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location:
ftp://legacy.redhat.com//pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso
[following]
--2021-10-04 07:37:10--
ftp://legacy.redhat.com//pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso
=> ‘valhalla-i386-disc2.iso’
Connecting to legacy.redhat.com (legacy.redhat.com)|10.4.204.83|:21...
connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /pub/redhat/linux/7.3/en/iso/i386 ... done.
==> SIZE valhalla-i386-disc2.iso ... 669319168
==> PASV ... done. ==> RETR valhalla-i386-disc2.iso ... done.
Length: 669319168 (638M) (unauthoritative)
valhalla-i386-disc2.iso
100%[================================================>] 638.31M 31.1MB/s
in 25s
2021-10-04 07:37:36 (25.4 MB/s) - ‘valhalla-i386-disc2.iso’ saved
[669319168]
Segmentation fault (core dumped)
Both files are downloaded fine but after the second file, the crash occurs:
#0 0x0000000559aef3e9 in ?? ()
#1 0x0000559aef0a53dd in find_cell (key=0x559aef3ec4f0, ht=0x559aef3e9d60)
at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/hash.c:321
#2 hash_table_get_pair (value=<synthetic pointer>, orig_key=<synthetic
pointer>, lookup_key=0x559aef3ec4f0,
ht=0x559aef3e9d60) at
/usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/hash.c:354
#3 register_download (file=0x559aef3ca430 "valhalla-i386-disc2.iso",
url=<optimized out>)
at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/convert.c:963
#4 retrieve_url (orig_parsed=0x559aef3f0460,
origurl=0x7ffd0f0885b9
"http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso";,
file=0x7ffd0f0873f8, newloc=0x7ffd0f0873f0, refurl=<optimized out>,
dt=0x7ffd0f0873e8, recursive=<optimized out>,
iri=0x559aef3e9980, register_status=true) at
/usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/retr.c:1149
#5 0x0000559aef07236d in main (argc=<optimized out>, argv=0x7ffd0f087668)
at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/main.c:2167
Seems like the size in find_cell is off the limits. First file is ok:
Breakpoint 1, find_cell (key=0x55555560d4f0, ht=0x55555560ad60)
at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/hash.c:320
(gdb) p *ht
$7 = {hash_function = 0x555555570b60 <hash_string>, test_function =
0x555555570d30 <cmp_string>,
cells = 0x555555611380, size = 13, count = 0, resize_threshold = 9,
prime_offset = 1}
After the second file is downloaded:
Breakpoint 1, find_cell (key=0x55555560d4f0, ht=0x55555560ad60)
at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/hash.c:320
(gdb) p *ht
$11 = {hash_function = 0x55555560a, test_function = 0x1bebe0b419b8155c, cells
= 0x2e372f78756e696c,
size = 1852124979, count = 1869834543, resize_threshold = 942893359,
prime_offset = 658742}
Not sure what happens there but I thought I would try to narrow it down by
leaving out -c but at that case I get a totally different crash:
# wget
http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc1.iso
http://archive.download.redhat.com/pub/redhat/linux/7.3/en/iso/i386/valhalla-i386-disc2.iso
#0 __pthread_kill_internal (signo=6, threadid=<optimized out>) at
pthread_kill.c:45
45 val = (INTERNAL_SYSCALL_ERROR_P (val)
(gdb) bt
#0 __pthread_kill_internal (signo=6, threadid=<optimized out>) at
pthread_kill.c:45
#1 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at
pthread_kill.c:62
#2 0x00007ffff7a446b6 in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
#3 0x00007ffff7a2e7d3 in __GI_abort () at abort.c:79
#4 0x00007ffff7a85a27 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7bc15f9 "%s\n")
at ../sysdeps/posix/libc_fatal.c:155
#5 0x00007ffff7a9b74c in malloc_printerr (str=str@entry=0x7ffff7bc40f0
"free(): double free detected in tcache 2")
at malloc.c:5543
#6 0x00007ffff7a9d67f in _int_free (av=0x7ffff7bfbaa0 <main_arena>,
p=0x555555613220, have_lock=0) at malloc.c:4360
#7 0x00007ffff7a9fae5 in __GI___libc_free (mem=<optimized out>) at
malloc.c:3278
#8 0x0000555555562406 in main (argc=<optimized out>, argv=0x7fffffffe288)
at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/main.c:2179
At this point seems like something happens with the filename pointer whe
leaving retrieve_url function. The xfree(filename) crashes because filename is
nonsense:
(gdb) f 8
#8 0x0000555555562406 in main (argc=<optimized out>, argv=0x7fffffffe288)
at /usr/src/debug/wget-1.21.1-4.fc35.x86_64/src/main.c:2179
2179 xfree (filename);
(gdb) p filename
$1 = 0x555555613230 "\023VUU\005"
(gdb) p *filename
$2 = 19 '\023'
I was trying to follow the filename string through the retrieve_url function
and even at the end the *file and *local_file point to the same string right
before exiting the retrieve_url function:
(gdb) p local_file
$29 = 0x555555613230 "valhalla-i386-disc2.iso.1"
...
1162 *file = local_file ? local_file : NULL;
(gdb) p file
$31 = (char **) 0x7fffffffe018
(gdb) p *file
$32 = 0x555555613230 "valhalla-i386-disc2.iso.1"
If I try to download both files separately, no crash. I did not get further
yet to narrow this down to anything but if anyone has any idea, I would really
appreciate it.
Thanks and regard,
Michal
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?61277>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- [bug #61277] wget crashes when downloading from redirect to ftp,
Michal Ruprich <=