[cups.bugs] [CRIT] STR #3970: cupsd refuses to start complaining about "glibc: cupsd: munmap_chunk(): invalid pointer"

marius tolzmann tolzmann at molgen.mpg.de
Tue Nov 1 15:27:01 PDT 2011 

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

cupsd -f refuses to start on my x86_64 linux box:

the attached patch fixes the problem..
the patched can be applied to version 1.5.0..
it may also fix the trunk, where the bug should still be included.

i am using cups 1.5.0 and acl 2.2.51 ...

details: 
in cert.c free() is used to free memory allocated by acl_to_text().. 
but memory allocated by acl_to_text() must be free()d using acl_free()..

here is what happened on my machine:

when hitting this:
------------------
*** glibc detected *** cupsd: munmap_chunk(): invalid pointer:
0x00007f3fb6360c88 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71c16)[0x7f3fb3c6cc16]
cupsd(+0x10c4c)[0x7f3fb60a4c4c]
cupsd(+0x11206)[0x7f3fb60a5206]
cupsd(main+0x924)[0x7f3fb60c1dfc]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f3fb3c19c7d]
cupsd(+0xd319)[0x7f3fb60a1319]
======= Memory map: ========
7f3fb35d5000-7f3fb35ea000 r-xp 00000000 08:01 13730 
/usr/lib/libgcc_s.so.1
7f3fb35ea000-7f3fb37e9000 ---p 00015000 08:01 13730 
/usr/lib/libgcc_s.so.1
7f3fb37e9000-7f3fb37ea000 rw-p 00014000 08:01 13730 
/usr/lib/libgcc_s.so.1
7f3fb37ea000-7f3fb37f6000 r-xp 00000000 08:01 2082  
/lib/libnss_files-2.12.1.so
7f3fb37f6000-7f3fb39f5000 ---p 0000c000 08:01 2082  
/lib/libnss_files-2.12.1.so
7f3fb39f5000-7f3fb39f6000 r--p 0000b000 08:01 2082  
/lib/libnss_files-2.12.1.so
7f3fb39f6000-7f3fb39f7000 rw-p 0000c000 08:01 2082  
/lib/libnss_files-2.12.1.so
7f3fb39f7000-7f3fb39fb000 r-xp 00000000 08:01 13735 
/usr/lib/libattr.so.1.1.0
[...]

valgrind reveals the location:
------------------------------
==8362== Invalid free() / delete / delete[]
==8362==    at 0x4C26022: free (vg_replace_malloc.c:366)
==8362==    by 0x118C4B: cupsdAddCert (cert.c:209)
==8362==    by 0x119205: cupsdInitCerts (cert.c:436)
==8362==    by 0x135DFB: main (main.c:595)
==8362==  Address 0x7381108 is 8 bytes inside a block of size 99 alloc'd
==8362==    at 0x4C26CE1: malloc (vg_replace_malloc.c:236)
==8362==    by 0x5D8D68A: __new_var_obj_p (__libobj.c:36)
==8362==    by 0x5D8CBDF: __acl_to_any_text (__acl_to_any_text.c:50)
==8362==    by 0x118BC5: cupsdAddCert (cert.c:202)
==8362==    by 0x119205: cupsdInitCerts (cert.c:436)
==8362==    by 0x135DFB: main (main.c:595)

and ACL_FROM_TEXT(3) states:
  The caller should free any releasable memory, when the new string
  is no longer required, by calling acl_free(3) with the (void*)char
  returned by acl_to_text() as an argument.

... so just do it 8)

bye.. marius tolzmann..

Link: http://www.cups.org/str.php?L3970
Version: 1.5.0
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cups-1.5.0-0001-cert.c-use-acl_free-on-acl_to_text-object.patch
URL: <https://lists.cups.org/pipermail/cups/attachments/20111101/c5ce646a/attachment.ksh>

More information about the cups mailing list