clamav-devel July 2008 archive
Main Archive Page > Month Archives  > clamav-devel archives
clamav-devel: [Clamav-devel] Segfault in freshclam (current svn

[Clamav-devel] Segfault in freshclam (current svn trunk)

From: Bernhard Schmidt <berni_at_nospam>
Date: Tue Jul 22 2008 - 23:26:54 GMT


I am the creator of bug #715
( which requested IPv6 support in freshclam. As it got integrated in r3940 I created custom .deb packages and installed them on both of my testhosts

  • #1 Debian Lenny VM (KVM), i386
  • #2 Ubuntu Hardy VM (Xen), amd64

both freshclam.conf files point to rotation.

#2 has never been upgraded and still runs r3940 without any apparent problems. I've rebuilt the Debian packages using the current trunk revision for #1 several times and noticed that freshclam started to crash every now and then recently. I'm pretty sure it has started with revision r3947 which integrated a new mirror loadbalancing code.

Here is a collection of debugging information I've sent to #clamav, I think it's better suited here on the ML. gdb bt (r3955): valgrind (r3976):

I've tried to understand the code but I don't think it should be happening. I've added a few debug printf-statements and it looks like the tempname variable in freshclam/manager.c:getpatch() gets trashed, it is fine before and when calling getfile() in manager.c:904, fine throughout the whole getfile() function (I've added a printf right before return there) but is trashed at the following open statement in manager.c:912. Partial strace for this is

write(1, "Downloading daily-7743.cdiff [10"..., 36) = 36 open(0x303431, O_RDONLY) = -1 EFAULT (Bad address) --- SIGSEGV (Segmentation fault) @ 0 (0) ---

so it looks like something is overwriting the pointer. I'm not an experienced C coder so I'm stuck here, maybe someone more experienced can have a look at this.

Crashes don't happen always, I've had cases where freshclam crashed repeatedly directly at startup, but sometimes it took a couple of hours or even days before it crashed. But the bogus pointer 0x303431 seems to be stable.

Bernhard Please submit your patches to our Bugzilla: