crash when exiting several subscribed session at the same time

[ntadas]

Hi,

I've a new crash when exiting several session at the same time (in this case 3).
in the backtrace I have:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x4c7ff480 (LWP 2090)]
0x0f33a8a4 in nc_session_monitor_remove (litem=0x4aa330b1) at src/session.c:483
483 src/session.c: No such file or directory.
(gdb) backtrace
#0 0x0f33a8a4 in nc_session_monitor_remove (litem=0x4aa330b1) at src/session.c:483
#1 0x0f33cf7c in nc_session_free (session=0x4be91b40) at src/session.c:1365
#2 0x0fc75c64 in NetconfSession::~NetconfSession (this=0x1010ec08, __in_chrg=) at

...
(gdb) frame 1
print litem->offset_prev
$7 = 1331121664

still something is wrong with linked lists.
I'll try to debug a little bit more the issue if I find something I'll update the post.
(not sure maybe its an issue with the last session being deleted?)

[ntadas]

this crash still happens, even with the fix for #199

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x4c7ff480 (LWP 2102)]
0x0f33a8a4 in nc_session_monitor_remove (litem=0x4aa33138) at src/session.c:483
483 src/session.c: No such file or directory.
(gdb) backtrace
#0 0x0f33a8a4 in nc_session_monitor_remove (litem=0x4aa33138) at src/session.c:483
#1 0x0f33d0b0 in nc_session_free (session=0x4ac0c988) at src/session.c:1401
#2 0x0fc75c64 in NetconfSession::~NetconfSession (this=0x100afc00,

...

(gdb) frame 1
#1 0x0f33d0b0 in nc_session_free (session=0x4ac0c988) at src/session.c:1401
1401 in src/session.c
(gdb) print aux->offset_next
No symbol "aux" in current context.
(gdb) frame 0
#0 0x0f33a8a4 in nc_session_monitor_remove (litem=0x4aa33138) at src/session.c:483
483 in src/session.c
(gdb) print aux->offset_next
Cannot access memory at address 0xfb4be33c
(gdb) print litem->offset_prev
$1 = 1331121664

I'm still trying to understand the pattern for this to happen.
but it has to do with deleting and creating some subscriptions.

[ntadas]

Found the issue :)
While doing some debug and some code inspections I noticed the following:

• in session.c line 374 you are calculating the size of the session entry taking into account that size of the struct + username len + hostname len
  If the user name or hostname are not defined you add only 1
  later on while populating the new session data you do the following:

  strcpy(litem->data, (session->username == NULL) ? "UNKNOWN" : session->username);
  strcpy(litem->data + 1 + strlen(litem->data), (session->hostname == NULL) ? "UNKNOWN" : session->hostname);

if hostname or username are null you write UNKNOWN but you only have allocated for the size 1 byte for each one. this will cause the overwrite of the following entry.

In my debug I notice that the crash only happens if I delete the first session and create it again and then try to delete the second session (in my target the hostname is not defined).
Additionally if you look the litem->offset_prev in the previous post, it converts to hexa: 4f 57 4e 00 which in ascii matches OWN\0 (from UNKNOWN).

[rkrejci]

Good job! Please verify that the just commited patch really fixes the issue.