Bugs: Eggdrop crash with SEGV on tcl control of linked-in bot idx

Espen Wang espen at nepse.net
Wed Jan 26 12:06:19 CST 2005


=====================================================================
              Eggheads Eggdrop 1.6 Bug Report Form
=====================================================================

=====================================================================
1) INFORMATION ABOUT YOUR EGGDROP

1.1) Eggdrop version:
     1.6.17

1.2) Make type:
     ( ) dynamic
     ( ) static
     (X) debug
     ( ) sdebug

1.3) List of any options passed to ./configure:
None

1.4) List of patches and/or modules you use:
None

=====================================================================
2) INFORMATION ABOUT TCL

2.1) Tcl library version:
     ( ) 7.0
     ( ) 7.1
     ( ) 7.2
     ( ) 7.3
     ( ) 7.4
     ( ) 7.5
     ( ) 7.6
     ( ) 8.0
     ( ) 8.1
     ( ) 8.2
     ( ) 8.3
     (X) 8.4
     ( ) 8.5
     ( ) Other - Which? ____

2.2) Tcl library patchlevel: 6 and 7
  eg; p1, p2, etc for Tcl versions up to 8.0p2
      or the 3rd part of the version number for 8.0.3 and newer

2.3) Tcl scripts used:
     [ ] alltools
     [ ] sentinel
     [ ] getops
     [X] others - Please mention all others: proof-of-concept script
included.

=====================================================================
3) INFORMATION ABOUT THE OS

3.1) OS type:
     ( ) BeOS
     ( ) BSD/OS
     ( ) Cygwin
     ( ) Darwin/Mac OS X
     ( ) Dell SVR4
     (X) FreeBSD
     ( ) HP-UX
     ( ) IRIX
     (X) Linux
     ( ) Lynx
     ( ) NetBSD
     ( ) NeXT
     ( ) OpenBSD
     ( ) OSF/Tru64
     ( ) QNX
     ( ) SINIX
     ( ) Solaris/SunOS
     ( ) Ultrix
     ( ) Other - Which? _____________

3.2) OS Version/Release:

FreeBSD 5.3-STABLE
Linux 2.6.10

=====================================================================
4) BUG DETAILS

4.1) The logged last context (example: Last context: userent.c/973 []):

tclhash.c/688 []

4.2) If the bot wrote to the file DEBUG, copy the text -contents- of
     that file here (NOTE: It should be about 20 lines of info, but it
     could be a few lines more):

---- FREEBSD ----

Debug (eggdrop v1.6.17) written Wed Jan 26 17:50:20 2005
Full Patch List:
Tcl library: /usr/local/lib/tcl8.4
Tcl version: 8.4.7 (header version 8.3.5)
Compile flags: gcc -pipe -g -O2 -Wall -I.. -I.. -DHAVE_CONFIG_H -g3
-DDEBUG_ASSERT -DDEBUG_MEM
Link flags: gcc -pipe -g
Strip flags: touch
Context: main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         tclhash.c/216, []
         tclhash.c/238, []
         tclhash.c/680, []
         tclhash.c/684, [Tcl proc: my:bot:link, param:  $_link1 $_link2]
         tclhash.c/688 []

SOCK ADDR     PORT  NICK      HOST              TYPE
---- -------- ----- --------- ----------------- ----
3    CC08DC67 60606 (telnet)  *                 lstn  60606
4    C15A82AF 49543 myser     rovik.multinet.no scri  my:bot:control

File 'language.c' accounted for 15475/15475 (ok)
File 'chanprog.c' accounted for 0/0 (ok)
File 'misc.c    ' accounted for 4028/4028 (ok)
File 'userrec.c ' accounted for 343/343 (ok)
File 'net.c     ' accounted for 0/0 (ok)
File 'dccutil.c ' accounted for 8848/8848 (ok)
File 'botnet.c  ' accounted for 2232/2232 (ok)
File 'tcl.c     ' accounted for 2112/2112 (ok)
File 'tclhash.c ' accounted for 6060/6060 (ok)
File 'tclmisc.c ' accounted for 0/0 (ok)
File 'modules.c ' accounted for 175/175 (ok)
File 'tcldcc.c  ' accounted for 12/12 (ok)
File 'dns.c     ' accounted for 0/0 (ok)
Module 'encryption' accounted for 0/0 (ok)
Module 'eggdrop   ' accounted for 0/0 (ok)
--- End of debug memory list.
Open sockets: 3 (listen), 4, 5 (file), done.

---- LINUX ----
Debug (eggdrop v1.6.17) written Wed Jan 26 18:32:31 2005
Full Patch List:
Tcl library: /usr/lib/tcl8.4
Tcl version: 8.4.6 (header version 8.4.6)
Compile flags: gcc -pipe -g -O2 -Wall -I.. -I.. -DHAVE_CONFIG_H -g3
-DDEBUG_ASSERT -DDEBUG_MEM
Link flags: gcc -pipe -g
Strip flags: touch
Context: main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         main.c/731, []
         tclhash.c/216, []
         tclhash.c/238, []
         tclhash.c/680, []
         tclhash.c/684, [Tcl proc: my:bot:link, param:  $_link1 $_link2]
         tclhash.c/688 []

SOCK ADDR     PORT  NICK      HOST              TYPE
---- -------- ----- --------- ----------------- ----
3    0A000002 41120 (telnet)  *                 lstn  41120
5    C15A82AF 33977 myser     rovik.multinet.no scri  my:bot:control

File 'language.c' accounted for 15475/15475 (ok)
File 'chanprog.c' accounted for 0/0 (ok)
File 'misc.c    ' accounted for 4028/4028 (ok)
File 'userrec.c ' accounted for 346/346 (ok)
File 'net.c     ' accounted for 0/0 (ok)
File 'dccutil.c ' accounted for 8848/8848 (ok)
File 'botnet.c  ' accounted for 2232/2232 (ok)
File 'tcl.c     ' accounted for 2112/2112 (ok)
File 'tclhash.c ' accounted for 6060/6060 (ok)
File 'tclmisc.c ' accounted for 0/0 (ok)
File 'modules.c ' accounted for 175/175 (ok)
File 'tcldcc.c  ' accounted for 12/12 (ok)
File 'dns.c     ' accounted for 0/0 (ok)
Module 'encryption' accounted for 0/0 (ok)
Module 'eggdrop   ' accounted for 0/0 (ok)
--- End of debug memory list.
Open sockets: 3 (listen), 5, 6 (file), done.


4.3) Your comments and a description of the bug:

I wanted to take control over a botlink right after the handshake, and
tried using "bind link" to call tcl control on the hand2idx of the
linked-in bot.
On link, after the handshake, the bot crash with SEGV.
This work on at least FreeBSD 5.3-STABLE with Tcl 8.4.7, and Linux
2.6.10 with Tcl 8.4.6.


4.4) Can you cause the bug condition to repeat? If so, please outline
     step by step what causes the error:

Start eggdrop with this config/script (change my-ip and listen):

--snip--
set nick crashbot
set botnet-nick "$nick"
set my-ip "IPADDRESS"
listen PORT all
set userfile "$nick.user"
loadmodule blowfish
bind link - * my:bot:link
proc my:bot:link {bot via} {
  global botnet-nick
  if {$via == ${botnet-nick}} {
    control [hand2idx $bot] my:bot:control
  }
}
#proc my:bot:control {idx arg} {
#
#  putlog "my:bot:control idx($idx) arg($arg)"
#}
--snip--

(It is not required to define the proc my:bot:control, to repeat the
crash.)
Log into bot, and .+bot some bot (I used another 1.6.17). Then make that
bot link to this one. Whooa, instant crash!

4.5) Do you have ideas on what is wrong that causes this error?
     Please list them:

It seems eggdrop doesn't like handing control over botsockets to a
tcl-script

4.6) Do you have ideas on how to correct it?  Please list them:

Sanity check of idx in control, and deny botsockets would probably be
enough. To actually allow tcl control a botlink, which I intended, I
don't know.

4.7) Other comments?
Handing botlinks to tcl control would be a nice new feature.
If Ican be at any more help, don't hestitate contacting me.
Good luck bughunting!

4.8) If the bot dumped a 'core' file when it crashed, it would be *very*
     useful if you could paste gdb's output during the following steps:
     First call gdb
         $ gdb eggdrop -c core
     and then enter 'bt' on gdb's command line:
         (gdb) bt
     Keep your core file for at least one week, so that the dev team
     can ask for further information if needed. However, don't send
     us the core file unless we ask for it.

I didn't have permission to create corefiles on the FreeBSD box. This is
a reproducable bug, I'm sure you can dump a core yourselves if needed.
In any case, I ran eggdrop through gdb in Linux:

[18:54] main: entering loop
[18:54] net: connect! sock 5
[18:54] Telnet connection: arovik.multinet.no/41565
[18:54] net: connect! sock 7
[18:54] Challenging myser...
[18:54] Linked to myser.

Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
(gdb) bt
#0  0x00000000 in ?? ()
(gdb) cont
Continuing.
[18:56] * Last context: tclhash.c/688 []
[18:56] * Please REPORT this BUG!
[18:56] * Check doc/BUG-REPORT on how to do so.
[18:56] * Wrote DEBUG
[18:56] * SEGMENT VIOLATION -- CRASHING!

Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()
(gdb) cont
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb)


     NOTE: If this is a bug you can reproduce, please compile with
           make debug and follow the above step. It can greatly help
           find and fix the bug.

Ok, done.

=====================================================================


-- 
Espen Wang <espen at nepse.net>




More information about the Bugs mailing list