*** buffer overflow detected ***: terminated points to ares_fds

Brad House brad at brad-house.com
Mon Jan 3 22:26:03 CET 2022 

Is it possible you've destroyed the ares_channel when this is called?  I 
haven't had a chance to look at your code.

Also, have you tried to run this through ASAN or Valgrind?

On 1/3/22 4:07 PM, James Read via c-ares wrote:
> Hi,
>
> I have joined this mailing list because I have a difficult bug which 
> seems to relate to a c-ares function call.
>
> The program I am developing reads lines from a file which is a list of 
> domain names. It performs asynchronous dns and then downloads the 
> landing pages with an epoll based event loop. The program runs well 
> for thousands of iterations and then bombs out with a *** buffer 
> overflow detected ***: terminated error. The following backtrace 
> points the finger of blame at a call to ares_fd:
>
> Program received signal SIGABRT, Aborted.
> __pthread_kill_implementation (no_tid=0, signo=6, 
> threadid=140737351407424) at pthread_kill.c:44
> 44 pthread_kill.c: No such file or directory.
> (gdb) bt
> #0  __pthread_kill_implementation (no_tid=0, signo=6, 
> threadid=140737351407424) at pthread_kill.c:44
> #1  __pthread_kill_internal (signo=6, threadid=140737351407424) at 
> pthread_kill.c:80
> #2  __GI___pthread_kill (threadid=140737351407424, 
> signo=signo at entry=6) at pthread_kill.c:91
> #3  0x00007ffff7dae476 in __GI_raise (sig=sig at entry=6) at 
> ../sysdeps/posix/raise.c:26
> #4  0x00007ffff7d947b7 in __GI_abort () at abort.c:79
> #5  0x00007ffff7df55e6 in __libc_message 
> (action=action at entry=do_abort, fmt=fmt at entry=0x7ffff7f46ef4 "*** %s 
> ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
> #6  0x00007ffff7ea122a in __GI___fortify_fail 
> (msg=msg at entry=0x7ffff7f46e9a "buffer overflow detected") at 
> fortify_fail.c:26
> #7  0x00007ffff7e9fb46 in __GI___chk_fail () at chk_fail.c:28
> #8  0x00007ffff7ea116b in __fdelt_chk (d=<optimised out>) at 
> fdelt_chk.c:25
> #9  0x00007ffff7f9699a in ares_fds () from /usr/local/lib/libcares.so.2
> #10 0x000055555555682d in wait_ares (channel=0x555556bb32a0) at 
> epoll_recv_with_async_dns.c:80
> #11 0x000055555555772e in main (argc=2, argv=0x7fffffffe0a8) at 
> epoll_recv_with_async_dns.c:299
>
> The offending line of code is:
>
> nfds = ares_fds(channel, &read_fds, &write_fds);
>
> I don't understand how this is a buffer overflow as the function call 
> only uses locally initialised variables. Here is the full function:
>
> static void wait_ares(ares_channel channel)
> {
>     struct timeval *tvp, tv;
>     fd_set read_fds, write_fds;
>     int nfds;
>
>     FD_ZERO(&read_fds);
>     FD_ZERO(&write_fds);
>     nfds = ares_fds(channel, &read_fds, &write_fds);
>
>     if (nfds > 0) {
>     tvp = ares_timeout(channel, NULL, &tv);
>     select(nfds, &read_fds, &write_fds, NULL, tvp);
>     ares_process(channel, &read_fds, &write_fds);
>     }
> }
>
> Just in case I haven't provided enough information a full code listing 
> can be downloaded from 
> https://github.com/JamesRead5737/epoll-and-c-ares-crawler
>

More information about the c-ares mailing list