SLPFindSrvs crashes with filter

[djberg96]

The SLPFindSrvs function appears to crash when a filter is provided. This simple command line example causes it:

slptool -u localhost findsrvs service:ntp "(foo=bar)"

For testing, I'm using docker run -d -p 427:427/tcp -p 427:427/udp vcrhonek/openslp

Here's the backtrace:

*** buffer overflow detected ***: /usr/sbin/slpd terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x77d75)[0x7fc091557d75]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fc0915f4107]
/lib64/libc.so.6(+0x112290)[0x7fc0915f2290]
/lib64/libc.so.6(+0x111739)[0x7fc0915f1739]
/usr/sbin/slpd(+0x4ae6)[0x55727c204ae6]
/usr/sbin/slpd(+0x7705)[0x55727c207705]
/usr/sbin/slpd(+0xf10e)[0x55727c20f10e]
/usr/sbin/slpd(+0x876c)[0x55727c20876c]
/usr/sbin/slpd(+0x3548)[0x55727c203548]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x7fc091500580]
/usr/sbin/slpd(+0x3699)[0x55727c203699]
======= Memory map: ========
55727c200000-55727c222000 r-xp 00000000 fe:01 3145796                    /usr/sbin/slpd
55727c422000-55727c423000 r--p 00022000 fe:01 3145796                    /usr/sbin/slpd
55727c423000-55727c424000 rw-p 00023000 fe:01 3145796                    /usr/sbin/slpd
55727d452000-55727d473000 rw-p 00000000 00:00 0                          [heap]
7fc08f87d000-7fc08f888000 r-xp 00000000 fe:01 2886823                    /usr/lib64/libnss_files-2.22.so
7fc08f888000-7fc08fa87000 ---p 0000b000 fe:01 2886823                    /usr/lib64/libnss_files-2.22.so
7fc08fa87000-7fc08fa88000 r--p 0000a000 fe:01 2886823                    /usr/lib64/libnss_files-2.22.so
7fc08fa88000-7fc08fa89000 rw-p 0000b000 fe:01 2886823                    /usr/lib64/libnss_files-2.22.so
7fc08fa89000-7fc08fa8f000 rw-p 00000000 00:00 0 
7fc08fa8f000-7fc08fa93000 r-xp 00000000 fe:01 2886640                    /usr/lib64/libattr.so.1.1.0
7fc08fa93000-7fc08fc93000 ---p 00004000 fe:01 2886640                    /usr/lib64/libattr.so.1.1.0
7fc08fc93000-7fc08fc94000 r--p 00004000 fe:01 2886640                    /usr/lib64/libattr.so.1.1.0
7fc08fc94000-7fc08fc95000 rw-p 00000000 00:00 0 
7fc08fc95000-7fc08fca4000 r-xp 00000000 fe:01 2886648                    /usr/lib64/libbz2.so.1.0.6
7fc08fca4000-7fc08fea3000 ---p 0000f000 fe:01 2886648                    /usr/lib64/libbz2.so.1.0.6
7fc08fea3000-7fc08fea4000 r--p 0000e000 fe:01 2886648                    /usr/lib64/libbz2.so.1.0.6
7fc08fea4000-7fc08fea5000 rw-p 0000f000 fe:01 2886648                    /usr/lib64/libbz2.so.1.0.6
7fc08fea5000-7fc08febc000 r-xp 00000000 fe:01 2886681                    /usr/lib64/libelf-0.166.so
7fc08febc000-7fc0900bb000 ---p 00017000 fe:01 2886681                    /usr/lib64/libelf-0.166.so
7fc0900bb000-7fc0900bc000 r--p 00016000 fe:01 2886681                    /usr/lib64/libelf-0.166.so
7fc0900bc000-7fc0900bd000 rw-p 00017000 fe:01 2886681                    /usr/lib64/libelf-0.166.so
7fc0900bd000-7fc09012e000 r-xp 00000000 fe:01 2886855                    /usr/lib64/libpcre.so.1.2.7
7fc09012e000-7fc09032e000 ---p 00071000 fe:01 2886855                    /usr/lib64/libpcre.so.1.2.7
7fc09032e000-7fc09032f000 r--p 00071000 fe:01 2886855                    /usr/lib64/libpcre.so.1.2.7
7fc09032f000-7fc090330000 rw-p 00072000 fe:01 2886855                    /usr/lib64/libpcre.so.1.2.7
7fc090330000-7fc090346000 r-xp 00000000 fe:01 2886699                    /usr/lib64/libgcc_s-5.3.1-20160406.so.1
7fc090346000-7fc090545000 ---p 00016000 fe:01 2886699                    /usr/lib64/libgcc_s-5.3.1-20160406.so.1
7fc090545000-7fc090546000 r--p 00015000 fe:01 2886699                    /usr/lib64/libgcc_s-5.3.1-20160406.so.1
7fc090546000-7fc090547000 rw-p 00016000 fe:01 2886699                    /usr/lib64/libgcc_s-5.3.1-20160406.so.1
7fc090547000-7fc09054b000 r-xp 00000000 fe:01 2886654                    /usr/lib64/libcap.so.2.24
7fc09054b000-7fc09074a000 ---p 00004000 fe:01 2886654                    /usr/lib64/libcap.so.2.24
7fc09074a000-7fc09074b000 r--p 00003000 fe:01 2886654                    /usr/lib64/libcap.so.2.24
7fc09074b000-7fc09074c000 rw-p 00004000 fe:01 2886654                    /usr/lib64/libcap.so.2.24
7fc09074c000-7fc090793000 r-xp 00000000 fe:01 2886677                    /usr/lib64/libdw-0.166.so
7fc090793000-7fc090992000 ---p 00047000 fe:01 2886677                    /usr/lib64/libdw-0.166.so
7fc090992000-7fc090995000 r--p 00046000 fe:01 2886677                    /usr/lib64/libdw-0.166.so
7fc090995000-7fc090996000 rw-p 00049000 fe:01 2886677                    /usr/lib64/libdw-0.166.so
7fc090996000-7fc0909a8000 r-xp 00000000 fe:01 2886722                    /usr/lib64/libgpg-error.so.0.17.0
7fc0909a8000-7fc090ba8000 ---p 00012000 fe:01 2886722                    /usr/lib64/libgpg-error.so.0.17.0
7fc090ba8000-7fc090ba9000 r--p 00012000 fe:01 2886722                    /usr/lib64/libgpg-error.so.0.17.0
7fc090ba9000-7fc090baa000 rw-p 00013000 fe:01 2886722                    /usr/lib64/libgpg-error.so.0.17.0
7fc090baa000-7fc090c85000 r-xp 00000000 fe:01 2886702                    /usr/lib64/libgcrypt.so.20.0.4
7fc090c85000-7fc090e85000 ---p 000db000 fe:01 2886702                    /usr/lib64/libgcrypt.so.20.0.4
7fc090e85000-7fc090e86000 r--p 000db000 fe:01 2886702                    /usr/lib64/libgcrypt.so.20.0.4
7fc090e86000-7fc090e8e000 rw-p 000dc000 fe:01 2886702                    /usr/lib64/libgcrypt.so.20.0.4
7fc090e8e000-7fc090e8f000 rw-p 00000000 00:00 0 
7fc090e8f000-7fc090eb4000 r-xp 00000000 fe:01 2886775                    /usr/lib64/liblzma.so.5.2.1
7fc090eb4000-7fc0910b3000 ---p 00025000 fe:01 2886775                    /usr/lib64/liblzma.so.5.2.1
7fc0910b3000-7fc0910b4000 r--p 00024000 fe:01 2886775                    /usr/lib64/liblzma.so.5.2.1
7fc0910b4000-7fc0910b5000 rw-p 00000000 00:00 0 
7fc0910b5000-7fc0910bc000 r-xp 00000000 fe:01 2886889                    /usr/lib64/librt-2.22.so
7fc0910bc000-7fc0912bb000 ---p 00007000 fe:01 2886889                    /usr/lib64/librt-2.22.so
7fc0912bb000-7fc0912bc000 r--p 00006000 fe:01 2886889                    /usr/lib64/librt-2.22.so
7fc0912bc000-7fc0912bd000 rw-p 00007000 fe:01 2886889                    /usr/lib64/librt-2.22.so
7fc0912bd000-7fc0912dc000 r-xp 00000000 fe:01 2886895                    /usr/lib64/libselinux.so.1
7fc0912dc000-7fc0914dc000 ---p 0001f000 fe:01 2886895                    /usr/lib64/libselinux.so.1
7fc0914dc000-7fc0914dd000 r--p 0001f000 fe:01 2886895                    /usr/lib64/libselinux.so.1
7fc0914dd000-7fc0914de000 rw-p 00020000 fe:01 2886895                    /usr/lib64/libselinux.so.1
7fc0914de000-7fc0914e0000 rw-p 00000000 00:00 0 
7fc0914e0000-7fc091697000 r-xp 00000000 fe:01 2886649                    /usr/lib64/libc-2.22.so
7fc091697000-7fc091897000 ---p 001b7000 fe:01 2886649                    /usr/lib64/libc-2.22.so
7fc091897000-7fc09189b000 r--p 001b7000 fe:01 2886649                    /usr/lib64/libc-2.22.so
7fc09189b000-7fc09189d000 rw-p 001bb000 fe:01 2886649                    /usr/lib64/libc-2.22.so
7fc09189d000-7fc0918a1000 rw-p 00000000 00:00 0 
7fc0918a1000-7fc0918b8000 r-xp 00000000 fe:01 2886879                    /usr/lib64/libresolv-2.22.so
7fc0918b8000-7fc091ab8000 ---p 00017000 fe:01 2886879                    /usr/lib64/libresolv-2.22.so
7fc091ab8000-7fc091ab9000 r--p 00017000 fe:01 2886879                    /usr/lib64/libresolv-2.22.so
7fc091ab9000-7fc091aba000 rw-p 00018000 fe:01 2886879                    /usr/lib64/libresolv-2.22.so
7fc091aba000-7fc091abc000 rw-p 00000000 00:00 0 
7fc091abc000-7fc091ad2000 r-xp 00000000 fe:01 2886813                    /usr/lib64/libnsl-2.22.so
7fc091ad2000-7fc091cd1000 ---p 00016000 fe:01 2886813                    /usr/lib64/libnsl-2.22.so
7fc091cd1000-7fc091cd2000 r--p 00015000 fe:01 2886813                    /usr/lib64/libnsl-2.22.so
7fc091cd2000-7fc091cd3000 rw-p 00016000 fe:01 2886813                    /usr/lib64/libnsl-2.22.so
7fc091cd3000-7fc091cd5000 rw-p 00000000 00:00 0 
7fc091cd5000-7fc091dd6000 r-xp 00000000 fe:01 2886778                    /usr/lib64/libm-2.22.so
7fc091dd6000-7fc091fd5000 ---p 00101000 fe:01 2886778                    /usr/lib64/libm-2.22.so
7fc091fd5000-7fc091fd6000 r--p 00100000 fe:01 2886778                    /usr/lib64/libm-2.22.so
7fc091fd6000-7fc091fd7000 rw-p 00101000 fe:01 2886778                    /usr/lib64/libm-2.22.so
7fc091fd7000-7fc091fef000 r-xp 00000000 fe:01 2886868                    /usr/lib64/libpthread-2.22.so
7fc091fef000-7fc0921ee000 ---p 00018000 fe:01 2886868                    /usr/lib64/libpthread-2.22.so
7fc0921ee000-7fc0921f0000 r--p 00017000 fe:01 2886868                    /usr/lib64/libpthread-2.22.so
7fc0921f0000-7fc0921f1000 rw-p 00019000 fe:01 2886868                    /usr/lib64/libpthread-2.22.so
7fc0921f1000-7fc0921f5000 rw-p 00000000 00:00 0 
7fc0921f5000-7fc092428000 r-xp 00000000 fe:01 2886664                    /usr/lib64/libcrypto.so.1.0.2h
7fc092428000-7fc092628000 ---p 00233000 fe:01 2886664                    /usr/lib64/libcrypto.so.1.0.2h
7fc092628000-7fc092644000 r--p 00233000 fe:01 2886664                    /usr/lib64/libcrypto.so.1.0.2h
7fc092644000-7fc092651000 rw-p 0024f000 fe:01 2886664                    /usr/lib64/libcrypto.so.1.0.2h
7fc092651000-7fc092655000 rw-p 00000000 00:00 0 
7fc092655000-7fc09266a000 r-xp 00000000 fe:01 2886957                    /usr/lib64/libz.so.1.2.8
7fc09266a000-7fc092869000 ---p 00015000 fe:01 2886957                    /usr/lib64/libz.so.1.2.8
7fc092869000-7fc09286a000 r--p 00014000 fe:01 2886957                    /usr/lib64/libz.so.1.2.8
7fc09286a000-7fc09286b000 rw-p 00015000 fe:01 2886957                    /usr/lib64/libz.so.1.2.8
7fc09286b000-7fc09286e000 r-xp 00000000 fe:01 2886675                    /usr/lib64/libdl-2.22.so
7fc09286e000-7fc092a6d000 ---p 00003000 fe:01 2886675                    /usr/lib64/libdl-2.22.so
7fc092a6d000-7fc092a6e000 r--p 00002000 fe:01 2886675                    /usr/lib64/libdl-2.22.so
7fc092a6e000-7fc092a6f000 rw-p 00003000 fe:01 2886675                    /usr/lib64/libdl-2.22.so
7fc092a6f000-7fc092a90000 r-xp 00000000 fe:01 2886624                    /usr/lib64/ld-2.22.so
7fc092bf6000-7fc092c02000 rw-p 00000000 00:00 0 
7fc092c02000-7fc092c85000 r-xp 00000000 fe:01 2886923                    /usr/lib64/libsystemd.so.0.9.0
7fc092c85000-7fc092c88000 r--p 00082000 fe:01 2886923                    /usr/lib64/libsystemd.so.0.9.0
7fc092c88000-7fc092c89000 rw-p 00085000 fe:01 2886923                    /usr/lib64/libsystemd.so.0.9.0
7fc092c89000-7fc092c8a000 rw-p 00000000 00:00 0 
7fc092c8c000-7fc092c8f000 rw-p 00000000 00:00 0 
7fc092c8f000-7fc092c90000 r--p 00020000 fe:01 2886624                    /usr/lib64/ld-2.22.so
7fc092c90000-7fc092c91000 rw-p 00021000 fe:01 2886624                    /usr/lib64/ld-2.22.so
7fc092c91000-7fc092c92000 rw-p 00000000 00:00 0 
7fff87259000-7fff8727a000 rw-p 00000000 00:00 0                          [stack]
7fff87338000-7fff8733c000 r--p 00000000 00:00 0                          [vvar]
7fff8733c000-7fff8733e000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
/tmp/run.sh: line 4:    19 Aborted                 /usr/sbin/slpd -d

[alexanderzhirov]

I confirm. I ran into the same problem.

write(3, "Startup complete entering main r"..., 45) = 45
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 1 ([{fd=7, revents=POLLIN}])
recvfrom(7, "\2\1\0\0001 \0\0\0\0&\331\0\2en\0\0\0\27service:dire"..., 1400, 0, {sa_family=AF_INET, sin_port=htons(427), sin_addr=inet_addr("192.168.0.39")}, [128 => 16]) = 49
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 0 (Timeout)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[]})                 = -1 EINTR (Прерван системный вызов)
sendto(9, "\2\1\0\0001 \0\0\0\0&\332\0\2en\0\0\0\27service:dire"..., 49, 0, {sa_family=AF_INET, sin_port=htons(427), sin_addr=inet_addr("239.255.255.253")}, 16) = 49
alarm(15)                               = 0
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 1 ([{fd=7, revents=POLLIN}])
recvfrom(7, "\2\1\0\0001 \0\0\0\0&\332\0\2en\0\0\0\27service:dire"..., 1400, 0, {sa_family=AF_INET, sin_port=htons(427), sin_addr=inet_addr("192.168.0.39")}, [128 => 16]) = 49
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 0 (Timeout)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 1 ([{fd=4, revents=POLLIN}])
accept(4, {sa_family=AF_INET, sin_port=htons(35974), sin_addr=inet_addr("127.0.0.1")}, [128 => 16]) = 10
setsockopt(10, SOL_SOCKET, SO_RCVLOWAT, [18], 4) = 0
setsockopt(10, SOL_SOCKET, SO_SNDLOWAT, [18], 4) = -1 ENOPROTOOPT (Протокол недоступен)
fcntl(10, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(10, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
poll([{fd=10, events=POLLIN}, {fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 7, 1000) = 1 ([{fd=10, revents=POLLIN}])
recvfrom(10, "\2\3\0\0j@\0\0\0\0\344 \0\2en", 16, MSG_PEEK, 0x55ee578993d8, [128 => 0]) = 16
recvfrom(10, "\2\3\0\0j@\0\0\0\0\344 \0\2en\0\377\377\0\35service:mys"..., 106, 0, NULL, NULL) = 106
sendto(10, "\2\5\0\0\22\0\0\0\0\0\344 \0\2en\0\0", 18, MSG_DONTWAIT, NULL, 0) = 18
poll([{fd=10, events=POLLIN}, {fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 7, 1000) = 1 ([{fd=10, revents=POLLIN}])
recvfrom(10, "", 16, MSG_PEEK, 0x55ee578993d8, [128 => 0]) = 0
close(10)                               = 0
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 0 (Timeout)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 0 (Timeout)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 0 (Timeout)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 0 (Timeout)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 1 ([{fd=4, revents=POLLIN}])
accept(4, {sa_family=AF_INET, sin_port=htons(57904), sin_addr=inet_addr("127.0.0.1")}, [128 => 16]) = 10
setsockopt(10, SOL_SOCKET, SO_RCVLOWAT, [18], 4) = 0
setsockopt(10, SOL_SOCKET, SO_SNDLOWAT, [18], 4) = -1 ENOPROTOOPT (Протокол недоступен)
fcntl(10, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(10, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
poll([{fd=10, events=POLLIN}, {fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 7, 1000) = 1 ([{fd=10, revents=POLLIN}])
recvfrom(10, "\2\1\0\0001\0\0\0\0\0\216\20\0\2en", 16, MSG_PEEK, 0x55ee578993d8, [128 => 0]) = 16
recvfrom(10, "\2\1\0\0001\0\0\0\0\0\216\20\0\2en\0\0\0\27service:dire"..., 49, 0, NULL, NULL) = 49
sendto(10, "\2\10\0\0G\0\0\0\0\0\216\20\0\2en\0\n\":\"solus-xfce\""..., 71, MSG_DONTWAIT, NULL, 0) = 71
poll([{fd=10, events=POLLIN}, {fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 7, 1000) = 2 ([{fd=10, revents=POLLIN}, {fd=7, revents=POLLIN}])
recvfrom(10, "", 16, MSG_PEEK, 0x55ee578993d8, [128 => 0]) = 0
recvfrom(7, "\2\1\0\08 \0\0\0\0\216\21\0\2en\0\0\0\27service:dire"..., 1400, 0, {sa_family=AF_INET, sin_port=htons(55382), sin_addr=inet_addr("192.168.0.39")}, [128 => 16]) = 56
close(10)                               = 0
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 1 ([{fd=7, revents=POLLIN}])
recvfrom(7, "\2\1\0\08 \0\0\0\0\216\21\0\2en\0\0\0\27service:dire"..., 1400, 0, {sa_family=AF_INET, sin_port=htons(36801), sin_addr=inet_addr("192.168.0.39")}, [128 => 16]) = 56
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7, events=POLLIN}, {fd=8, events=POLLIN}, {fd=9, events=POLLIN}], 6, 1000) = 1 ([{fd=7, revents=POLLIN}])
recvfrom(7, "\2\1\0\0= \0\0\0\0\216\22\0\2en\0\0\0\20service:myse"..., 1400, 0, {sa_family=AF_INET, sin_port=htons(47151), sin_addr=inet_addr("192.168.0.39")}, [128 => 16]) = 61
writev(2, [{iov_base="*** ", iov_len=4}, {iov_base="buffer overflow detected", iov_len=24}, {iov_base=" ***: terminated\n", iov_len=17}], 3*** buffer overflow detected ***: terminated
) = 45
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f779c2d7000
gettid()                                = 28947
getpid()                                = 28947
tgkill(28947, 28947, SIGABRT)           = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=28947, si_uid=0} ---
+++ killed by SIGABRT (core dumped) +++

[alexanderzhirov]

@djberg96 I found a buffer overflow issue and program crash when making a request using a filter. In my case, the slpd compilation was done with the FORTIFY_SOURCE flag, which caused the service to crash.
If you are using a package installation from a repository, ensure that the program was built without using the optimization flag.

[djberg96]

@alexanderzhirov Have you confirmed that it does not crash if FORTIFY_SOURCE is not used?

[alexanderzhirov]

@alexanderzhirov Have you confirmed that it does not crash if FORTIFY_SOURCE is not used?

Yes, please see getsolus/packages#5588

[djberg96]

@alexanderzhirov Thanks. Is this something that can be addressed in source? Or is it just a case of "don't do that"?

I'm curious what the offending code is.

[alexanderzhirov]

@djberg96 I haven’t debugged the code yet, but I’d also be curious to know which part of the code is causing the crash. Most likely, there might be a memory leak somewhere, but it’s not critical. However, the compiler thinks otherwise 😄

[djberg96]

@alexanderzhirov Claude 4 says it's an errant "+" sign here, which was causing incorrect buffer allocation which, in conjunction with the additional runtime checks via FORTIFY_SOURCE, caused PutL16String to blow up.

[alexanderzhirov]

@AlexanderZhirov Claude 4 says it's an errant "+" sign here, which was causing incorrect buffer allocation which, in conjunction with the additional runtime checks via FORTIFY_SOURCE, caused PutL16String to blow up.

Thank you! Will a fix be offered in the form of a patch?

[djberg96]

@alexanderzhirov #18 :)