GnuTLS 3.0.14 gnutls-serv segfaults when an invalid number is passed to --debug

Matthew Hall mhall at mhcomputing.net
Sat Feb 25 03:59:47 CET 2012


While investigating some other bugs in GnuTLS I located this bug in the 
--debug=99999999 option in GnuTLS 3.0.14, which is not present in 3.0.11, due 
to some changes in the way that GnuTLS seems to handle its CLI options.

It is possible the bug is caused by the AutoOpts library.

It seems to be an issue with the format string or arg list used to attempt to 
report that the value passed to the --debug is out of the expected range up to 
9999. The bug triggers on any value > 9999.

Regards,
Matthew Hall

GDB OUTPUT:

mhall at mhall-mini1:~/src$ gdb /usr/local/bin/gnutls-serv
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/gnutls-serv...done.
(gdb) set args
(gdb) set args --debug=99999999
(gdb) run
Starting program: /usr/local/bin/gnutls-serv --debug=99999999
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x00282b33 in _IO_vfprintf_internal (s=0xbfffed90, format=0x8067ad2 "%s error:  %s option value ``%s'' is out of range.\n", 
    ap=0xbffff428 "\263\370\377\277\022`\006\b\377\340\365\005\364\277\006\bh\364\377\277h\345\005\b\307\370\377\277\\\364\377\277߁\006\bPh\006\b\240\315\006\b\314\364\377\277\377\340\365\005\364\277\006\b") at vfprintf.c:1614
1614	vfprintf.c: No such file or directory.
	in vfprintf.c
(gdb) bt
#0  0x00282b33 in _IO_vfprintf_internal (s=0xbfffed90, format=0x8067ad2 "%s error:  %s option value ``%s'' is out of range.\n", 
    ap=0xbffff428 "\263\370\377\277\022`\006\b\377\340\365\005\364\277\006\bh\364\377\277h\345\005\b\307\370\377\277\\\364\377\277߁\006\bPh\006\b\240\315\006\b\314\364\377\277\377\340\365\005\364\277\006\b") at vfprintf.c:1614
#1  0x00284512 in buffered_vfprintf (s=0x39b580, format=0x5f5e0ff <Address 0x5f5e0ff out of bounds>, args=0xffffffff <Address 0xffffffff out of bounds>)
    at vfprintf.c:2254
#2  0x0027f413 in _IO_vfprintf_internal (s=0x39b580, format=0x8067ad2 "%s error:  %s option value ``%s'' is out of range.\n", 
    ap=0xbffff428 "\263\370\377\277\022`\006\b\377\340\365\005\364\277\006\bh\364\377\277h\345\005\b\307\370\377\277\\\364\377\277߁\006\bPh\006\b\240\315\006\b\314\364\377\277\377\340\365\005\364\277\006\b") at vfprintf.c:1306
#3  0x00289a8f in __fprintf (stream=0x39b580, format=0x8067ad2 "%s error:  %s option value ``%s'' is out of range.\n") at fprintf.c:33
#4  0x0805e2e0 in optionShowRange (pOpts=0x806cda0, pOD=0x806c4e0, rng_table=0x8066850, rng_ct=1) at numeric.c:56
#5  0x080528b3 in doOptDebug (pOptions=0x806cda0, pOptDesc=0x806c4e0) at serv-args.c:1008
#6  0x08055400 in handle_opt (pOpts=0x806cda0, pOptState=0xbffff500) at autoopts.c:240
#7  0x08055927 in regular_opts (pOpts=0x806cda0) at autoopts.c:515
#8  0x08055b9b in optionProcess (pOpts=0x806cda0, argCt=2, argVect=0xbffff774) at autoopts.c:682
#9  0x0804f42f in cmd_parser (argc=2, argv=0xbffff774) at serv.c:1546
#10 0x0804d9d3 in main (argc=2, argv=0xbffff774) at serv.c:912
(gdb) 





More information about the Gnutls-devel mailing list