*** buffer overflow detected ***: terminated points to ares_fds

James Read jamesread5737 at gmail.com
Mon Jan 3 22:07:51 CET 2022 

Hi,

I have joined this mailing list because I have a difficult bug which seems
to relate to a c-ares function call.

The program I am developing reads lines from a file which is a list of
domain names. It performs asynchronous dns and then downloads the landing
pages with an epoll based event loop. The program runs well for thousands
of iterations and then bombs out with a *** buffer overflow detected ***:
terminated error. The following backtrace points the finger of blame at a
call to ares_fd:

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737351407424)
at pthread_kill.c:44
44 pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6,
threadid=140737351407424) at pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737351407424) at
pthread_kill.c:80
#2  __GI___pthread_kill (threadid=140737351407424, signo=signo at entry=6) at
pthread_kill.c:91
#3  0x00007ffff7dae476 in __GI_raise (sig=sig at entry=6) at
../sysdeps/posix/raise.c:26
#4  0x00007ffff7d947b7 in __GI_abort () at abort.c:79
#5  0x00007ffff7df55e6 in __libc_message (action=action at entry=do_abort,
fmt=fmt at entry=0x7ffff7f46ef4 "*** %s ***: terminated\n") at
../sysdeps/posix/libc_fatal.c:155
#6  0x00007ffff7ea122a in __GI___fortify_fail (msg=msg at entry=0x7ffff7f46e9a
"buffer overflow detected") at fortify_fail.c:26
#7  0x00007ffff7e9fb46 in __GI___chk_fail () at chk_fail.c:28
#8  0x00007ffff7ea116b in __fdelt_chk (d=<optimised out>) at fdelt_chk.c:25
#9  0x00007ffff7f9699a in ares_fds () from /usr/local/lib/libcares.so.2
#10 0x000055555555682d in wait_ares (channel=0x555556bb32a0) at
epoll_recv_with_async_dns.c:80
#11 0x000055555555772e in main (argc=2, argv=0x7fffffffe0a8) at
epoll_recv_with_async_dns.c:299

The offending line of code is:

nfds = ares_fds(channel, &read_fds, &write_fds);

I don't understand how this is a buffer overflow as the function call only
uses locally initialised variables. Here is the full function:

static void wait_ares(ares_channel channel)
{
    struct timeval *tvp, tv;
    fd_set read_fds, write_fds;
    int nfds;

    FD_ZERO(&read_fds);
    FD_ZERO(&write_fds);
    nfds = ares_fds(channel, &read_fds, &write_fds);

    if (nfds > 0) {
    tvp = ares_timeout(channel, NULL, &tv);
    select(nfds, &read_fds, &write_fds, NULL, tvp);
    ares_process(channel, &read_fds, &write_fds);
    }
}

Just in case I haven't provided enough information a full code listing can
be downloaded from https://github.com/JamesRead5737/epoll-and-c-ares-crawler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.haxx.se/pipermail/c-ares/attachments/20220103/7486d112/attachment.htm>

More information about the c-ares mailing list