Crash in sendto_kdc.c

Thu Oct 4 08:47:06 EDT 2018

Hi Team,

This is in continuation with below threads:

              1.
http://mailman.mit.edu/pipermail/kfwdev/2018-February/date.html

              2. http://mailman.mit.edu/pipermail/kfwdev/2018-May/date.html

We could get a crash dump for the scenarios explained above. From the dump,
below are the observations:

   1. The crash is happening within “service_tcp_write” function of
   “sendto_kdc.c”, while executing the if condition “if ((size_t)nwritten <
   SG_LEN(sgp))”.
   2. The issue doesn’t happen for all the requests, but is frequent in a
   specific environment. We have not been able to determine a specific pattern
   yet.
   3. The observed values for relevant fields/variables from one of the
   dumps are as below, all the dumps have the values in same pattern:

conn.state = WRITING

conn.addr.transport = TCP

conn.addr.family = 2

conn.addr.len = 16

conn.out.sgbuf[0] = {len = 4, buff = ‘\0’}

conn.out.sgbuf[1] = {len = 1882, buff = ‘some data’}

conn.out.sgp = {len=??? buf=??? }

conn.out.sg_count = -10339

conn.out.msg_len_buf = ""

nwritten = 3199132154

>From the values above, it looks similar to the second possibility suggested
in http://mailman.mit.edu/pipermail/kfwdev/2018-February/000892.html.
However, we do not have any clue yet on what could be causing this.

Any help on this will be appreciated. Thanks

PS: We are using krb5 tag version 1.16-final (
https://github.com/krb5/krb5/blob/krb5-1.16-final/src/lib/krb5/os/sendto_kdc.c
)

Regards,

Rama