[Patches] [ python-Patches-633013 ] Fix NIS causing interpreter core dump

noreply@sourceforge.net noreply@sourceforge.net
Sun, 03 Nov 2002 16:54:44 -0800

Patches item #633013, was opened at 2002-11-03 16:44
You can respond by visiting: 

Category: Core (C code)
Group: Python 2.2.x
Status: Open
Resolution: None
Priority: 5
Submitted By: Neal Norwitz (nnorwitz)
Assigned to: Nobody/Anonymous (nobody)
Summary: Fix NIS causing interpreter core dump

Initial Comment:
When running on the Compaq test drive machines,
test_nis will cause the interpreter to core dump.  The
attached patch prevents the core dump which is caused
by passing a negative value to
PyString_FromStringAndSize().  I'm not sure if it's
100% correct, but the test passes and the interpreter
doesn't core dump.

Any one else know if this is correct?  I'll apply to
prevent the core dump, unless someone complains.


>Comment By: Neal Norwitz (nnorwitz)
Date: 2002-11-03 19:54

Logged In: YES 

How can I tell if NIS+ is being used?  Martin do you have an
account on the Compaq testdrive machines?

The values are -1 coming in from yp_all as seen from the
stack trace:

#1  0x8f44c in PyString_FromStringAndSize (str=0x7f7f2e18
    size=-1) at Objects/stringobject.c:85
#2  0xc11ca5bc in nis_foreach (instatus=1, 
    inkey=0x7f7f2e18 "\377\377\377\377", inkeylen=-1, 
    inval=0x7f7f3220 "{\004\006P", invallen=-1,
    at /tmp/python/Modules/nismodule.c:95
#3  0xc02ff02c in xdr_ypall () from /usr/lib/libnsl.1
#4  0xc02daab4 in xdrrec_skiprecord () from /usr/lib/libnsl.1
#5  0xc02f88c8 in yp_all () from /usr/lib/libnsl.1
#6  0xc11cad68 in nis_cat (self=0x0, args=0x40c80a48)
    at /tmp/python/Modules/nismodule.c:168

I don't see a specific problem from the man page.  Here are
some relevant sections:

int yp_all(
     char *indomain,
     char *inmap,
     struct ypall_callback *incallback

struct ypall_callback *incallback {
    int (*foreach)();
    char *data;

The function foreach() is called as follows:
      int instatus;
      char *inkey;
      int inkeylen;
      char *inval;
      int invallen;
      char *indata;
instatus  Holds one of the return status values defined in
          <rpcsvc/yp_prot.h>: either YP_TRUE
          or an error code (see ypprot_err()
          below, for a function that converts
          a NIS protocol error code to a
          ypclnt layer error code, as defined
          in <rpcsvc/ypclnt.h>).
inkey     The key and value parameters are
inval     somewhat different than defined in
          the SYNOPSIS section above.  First,
          the memory pointed to by inkey and
          inval is private to yp_all(), and
          is overwritten with the arrival of
          each new key-value pair.
          Therefore, foreach() should do
          something useful with the contents
          of that memory, but it does not own
          the memory.  Key and value objects
          presented to the foreach() look
          exactly as they do in the server's
          map.  Therefore, if they were not
          newline-terminated or null-
          terminated in the map, they will
          not be terminated with newline or
          null characters here, either.
indata    Is the contents of the
          incallback->data element passed to
          yp_all() The data element of the
          callback structure can share state
          information between foreach() and
          the mainline code.  Its use is
          optional, and no part of the NIS
          client package inspects its
          contents.  Cast it to something
          useful or ignore it as appropriate.

The foreach() function is Boolean.  It should
return zero to indicate it needs to be called
again for further received key-value pairs, or
non-zero to stop the flow of key-value pairs.  If
foreach() returns a non-zero value, it is not
called again and the functional value of yp_all()
is then 0.


Comment By: Martin v. L÷wis (loewis)
Date: 2002-11-03 18:11

Logged In: YES 

A quick test shows that indeed the if(fix) block causes the
trouble; it crashes with mail.aliases, because both strings
are empty.

I'm not entirely sure what the fix mechanism is supposed to
achieve; it does appear that it indeed avoids copying an
extra null byte on Solaris. The comment about "makedbm -a"
sounds mystical: makedbm has no documented -a option. We
should probably ask Fred Gansevles, who added this in 2.15.
There is also a GvR comment who says it doesn't work for NIS+.

Unless a better strategy shows up, I suggest to skip entries
which have both empty keys and values.


Comment By: Martin v. L÷wis (loewis)
Date: 2002-11-03 17:32

Logged In: YES 

The patch looks wrong. What is the value of inkeylen and
invallen at the point of the crash? Might it be -1, due to
the prior decrement?

Was that for a 32-bit or a 64-bit binary? Could it be that
Python is using an incorrect signature of the foreach
function (despite the man page saying that this is the
correct signature)?

Could it be that the data are really large unsigned numbers?
If so, what are the corresponding data? The foreach function
is supposedly called once per record, so both sizes ought to
be small.

I am concerned about thread-safety of this entire module,
though. yp_all is invoked with the GIL released, yet the
callback function calls interpreter API. This asks for a
desaster if other threads simultanously access the interpreter.


You can respond by visiting: