neard segfault on m3ulcb on access operation on tag with empty record

Description

On write operation to empty tag, neard exits following segfault:

Core was generated by `/usr/libexec/nfc/neard -nd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000ffffbb4de960 in malloc_consolidate (av=0xffffbb5b8a50 <main_arena>) at /usr/src/debug/glibc/2.26-r0/git/malloc/malloc.c:4475
4475 unlink(av, nextchunk, bck, fwd);
(gdb) bt
#0 0x0000ffffbb4de960 in malloc_consolidate (av=0xffffbb5b8a50 <main_arena>) at /usr/src/debug/glibc/2.26-r0/git/malloc/malloc.c:4475
#1 0x0000ffffbb4e1490 in _int_malloc (av=av@entry=0xffffbb5b8a50 <main_arena>, bytes=bytes@entry=8192) at /usr/src/debug/glibc/2.26-r0/git/malloc/malloc.c:3710
#2 0x0000ffffbb4e3a58 in __libc_calloc (n=<optimized out>, elem_size=<optimized out>) at /usr/src/debug/glibc/2.26-r0/git/malloc/malloc.c:3437
#3 0x0000ffffbb4d6af8 in _GI__open_memstream (bufloc=0xfffff54a22e8, bufloc@entry=0xfffff54a2348, sizeloc=0xfffff54a22f0, sizeloc@entry=0xfffff54a2350)
at /usr/src/debug/glibc/2.26-r0/git/libio/memstream.c:83
#4 0x0000ffffbb535434 in _GI__vsyslog_chk (pri=31, flag=1, fmt=0xaaaabcb3d340 "%s:%s() condition 0x%x", ap=...) at /usr/src/debug/glibc/2.26-r0/git/misc/syslog.c:167
#5 0x0000aaaabcb28614 in ?? ()
#6 0x0000ffffbb5f8340 in nlmsg_free () from /usr/lib/libnl-3.so.200

Environment

None

Activity

Show:

Walt Miner 
March 19, 2019 at 10:49 PM

Close for 7.0.1

Raquel Medina 
February 21, 2019 at 10:39 AM

Walt Miner, I think so, otherwise a tag with an empty record would trigger a segfault in neard. I'll cherry-pick to guppy today.

Walt Miner 
February 19, 2019 at 6:22 PM

Should this be cherry picked to guppy?

Raquel Medina 
January 24, 2019 at 11:16 PM

fix uploaded to gerrit for review under Change 19689.

Raquel Medina 
January 21, 2019 at 3:06 PM
(edited)

neard segfault happens not only on write but also on any access to a tag with an empty record ((D0 00 00 -> il=0, tnf empty, lenth=0),  so I've updated the Jira header to reflect this new information (issue created initially for write operation only).

The same issue has been observed when testing a tag with an empty record with agl-service-nfc and tag write tool (both use neardal lib).

There are 2 other scenarios for 'empty' tags: null tlv or ndef with 0 length (no record at all), which work fine.

A workaround in neard is under test to discard  a tag with an empty record , which is the same path taken for null tlv or 0 length ndef.

 

Fixed

Details

Assignee

Reporter

Labels

Priority

Created January 14, 2019 at 3:00 PM
Updated September 19, 2019 at 12:06 PM
Resolved February 13, 2019 at 5:16 PM

Flag notifications