tech-pkg: Re: vtun 2.6nb4 broken? (Fixed!)

Subject: Re: vtun 2.6nb4 broken? (Fixed!)
To: None <tech-pkg@NetBSD.org>
From: Curt Sampson <cjs@cynic.net>
List: tech-pkg
Date: 09/06/2004 15:55:12
On Mon, 6 Sep 2004, Curt Sampson wrote:

> I've just built vtund-2.6nb4, and it seems that it can connect with
> neither 2.6nb3 or itself. In both cases, the client says "connection
> denied" and the server says nothing except the initial startup message:
>
>     VTUN server ver (Name,0) 09/06/2004 (inetd)
>
> Any thoughts?

Well, I have further info now. It dumps core here:

    Program terminated with signal 11, Segmentation fault.
    ...
    (gdb) bt
    #0  0x10206fcc in strlen () from /usr/lib/libc.so.12
    #1  0x101fce34 in vfprintf () from /usr/lib/libc.so.12
    #2  0x101e5e24 in vsnprintf () from /usr/lib/libc.so.12
    #3  0x15238 in print_p ()
    #4  0x16368 in auth_server ()
    #5  0x14b28 in connection ()
    #6  0x14e68 in server ()
    #7  0x12148 in main ()
    #8  0x11ab8 in ___start ()

print_p is pretty simple, it allocates a buffer of VTUN_MESG_SIZE (which
is 60--maybe a bit short?) and does a vsnprintf to it, and then writes
the result to a file descriptor.

But which print_p in auth_server is invoked? Well, here's the final thing
it does before it dies:

     28710 vtund    CALL  write(0x4,0xeffff7e0,0x3c)
     28710 vtund    GIO   fd 4 wrote 60 bytes
	   "OK CHALCLI: <emgmgaiiamidceaaockmgogfacdapfpm>
	    \0\0\0\0\0\0\0\0\0\0\0\0\0"
     28710 vtund    RET   write 60/0x3c
     28710 vtund    CALL  select(0x5,0xeffff800,0,0,0xeffff7f8)
     28710 vtund    RET   select 1
     28710 vtund    CALL  read(0x4,0xeffff8e8,0x3c)
     28710 vtund    GIO   fd 4 read 60 bytes
	   "CHALSRV: <ndeifojpkclgfklhmoeaicenfeaaenhf>
	    \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
     28710 vtund    RET   read 60/0x3c
     28710 vtund    PSIG  SIGSEGV SIG_DFL
     28710 vtund    NAMI  "vtund.core"

So maybe this one?

    print_p (fd, "OK RESPSRV: %s %s\n", cl2cs (chal_resh, VTUN_RESP_HASH_SIZE));

Oh, hang on; what are *two* "%s" tokens doing in there, when we pass in
only one argument?

Take out one of the "%s" thingies, and sure enough, the server now works.

But how did it work before? Luck? I don't see any deleted patches or
anything like that. Maybe because I was doing on an i386 before, and not
a Sparc.

Anyway, I'll commit a patch for this.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.NetBSD.org
     Make up enjoying your city life...produced by BIC CAMERA