[Python-bugs-list] [ python-Bugs-476648 ] socket.getnameinfo crashes interpreter

noreply@sourceforge.net noreply@sourceforge.net
Fri, 02 Nov 2001 09:20:11 -0800 

Bugs item #476648, was opened at 2001-10-30 20:58
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=476648&group_id=5470

Category: Python Library
Group: None
Status: Open
Resolution: Works For Me
Priority: 7
Submitted By: Mark Rowe (icep17)
Assigned to: Martin v. Löwis (loewis)
Summary: socket.getnameinfo crashes interpreter

Initial Comment:
When making an invalid call to socket.getnameinfo() it
is possible to crash the interpreter.  From what I've
seen, this occurs under Windows ME with Python 2.2b1
and Windows 98 with Python 2.2a3.  It does not occur
under Mandrake 8.0 with Python 2.2a3.

>>> import socket
>>> socket.getnameinfo(socket.inet_aton('127.0.0.1'), 0)

This results with Python causing an error in
MSVCRT.DLL.  Under Mandrake 8.0 it causes the expected
exception:

Traceback (most recent call last):
  File "<stdin>", line 1, in ?
SystemError: new style getargs format but argument is
not a tuple


----------------------------------------------------------------------

>Comment By: Tim Peters (tim_one)
Date: 2001-11-02 09:20

Message:
Logged In: YES 
user_id=31435

Martin, I was wrong about one thing:  scope_id isn't 
uninitialized stack trash, it's forced to 0.  So one way to 
reliably provoke the first problem is simply to pass an 
argument with a value for scope_id (then the 0 passed for 
scope_id looks like a NULL pointer to PyArg_ParseTuple).  
Like, say,

>>> socket.getnameinfo(('x', 0, 0, 0), 0)

Boom.  I don't know how to reliably provoke a visible 
symptom for the decref problem, though, short of using a 
debug build and watching for the "negative refcount" 
message.

----------------------------------------------------------------------

Comment By: Martin v. Löwis (loewis)
Date: 2001-11-02 01:05

Message:
Logged In: YES 
user_id=21627

Mark,
Thanks for your report. It seems Tim is right on all
accounts, so there is no need for you to gather further
information. I'll try to come up with a scenario where the
crash is more reproducible, and check in a fix shortly.

----------------------------------------------------------------------

Comment By: Tim Peters (tim_one)
Date: 2001-11-01 21:24

Message:
Logged In: YES 
user_id=31435

Re-opened this and raised priority.  Martin, near the start 
of PySocket_getnameinfo we've got

n = PyArg_ParseTuple(sa, "si|ii", &hostp, &port, &flowinfo, 
scope_id);

and that's surely incorrect (note that we're not passing 
the address of scope_id there!  we're passing its value, 
and scope_id is uninitialized stack trash).

There's more than just that going on here, though.  If 
that's repaired, the PyArg_ParseTuple fails, and so it 
jumps to the "fail:" label, and sa gets decref'ed there.  
But sa was obtained from a previous PyArg_ParseTuple call, 
so should not be decref'ed by this routine (this routine 
has a borrowed reference to sa).  That part almost 
certainly explains the "negative refcount" msg icep17 sees 
in a debug build.

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2001-11-01 20:15

Message:
Logged In: NO 

I can reproduce it with 2.2b1 on Win9x, and by using that 
same code.

----------------------------------------------------------------------

Comment By: Mark Rowe (icep17)
Date: 2001-11-01 20:05

Message:
Logged In: YES 
user_id=147838

Under Windows ME with Python 2.2b1 I still get the crash.  I
have asked my friend to check it (Windows 95c Python 2.2b1)
and he also gets the crash.  I compiled the debug build of
Python and running the above code in an interpreter session
gives:

Adding parser accelerators ...
Done.
Python 2.2b1 (#25, Oct 21 2001, 13:42:02) [MSC 32 bit
(Intel)] on win32
Type "help", "copyright", "credits" or "license" for more
information.
>>> import socket
[8983 refs]
>>> socket.getnameinfo(socket.inet_aton('127.0.0.1'), 0)
C:\Program
Files\python22\Python-2.2b1\Objects\tupleobject.c:147
negative ref co
unt -572662308
Traceback (most recent call last):
  File "<stdin>", line 1, in ?
SystemError: new style getargs format but argument is not a
tuple
[9020 refs]
>>>

The Debug build of Python does not crash, but instead
reports a negative refrence count, which could be the cause
of the crash in the release build.  As I am not too familiar
with the internals of Python I have trouble understanding
what is happening when running the interpreter under the
debugger, but if you would like some more detail I will
happily provide it.

----------------------------------------------------------------------

Comment By: Martin v. Löwis (loewis)
Date: 2001-11-01 06:22

Message:
Logged In: YES 
user_id=21627

I cannot reproduce this in 2.2b1 (it works the same on 
Win32 as it does on Linux), but I also fail to see what 
code change may have caused to fail it in 2.2a3.

Please update to 2.2b1 and retest; if it still happens, 
check that you don't have any extra copies of 
python22.dll. If so, please add a note in this report, and 
we'll re-open it.

If you can, it would help enourmously if you could run the 
program in a debugger and report the stack trace in case 
of error, and the file and line number causing the crash.

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=476648&group_id=5470