[Bug 1904601] Re: lftp 4.8.1 crashes upon exit

Nicolás Alvarez 1904601 at bugs.launchpad.net
Mon Nov 23 03:44:36 UTC 2020 

In my particular case, it *started* crashing after upgrading from
4.8.1-1ubuntu0.1 to 4.8.1-1ubuntu0.2.

With 4.8.1-1ubuntu0.1:
lftp -e 'connect sftp://10.0.2.2 -u nicolas,password42;ls /tmp;exit' # OK
lftp -e 'connect sftp://10.0.2.2 -u nicolas,password42;ls /tmp/ssltest;exit' # crash
lftp -e 'get gnu/glibc/nss_db-2.2.tar.gz;exit' ftp.gnu.org # crash, this was the LP:1902832 testcase

With 4.8.1-1ubuntu0.2:
lftp -e 'connect sftp://10.0.2.2 -u nicolas,password42;ls /tmp;exit' # crash (regression)
lftp -e 'connect sftp://10.0.2.2 -u nicolas,password42;ls /tmp/ssltest;exit' # crash
lftp -e 'get gnu/glibc/nss_db-2.2.tar.gz;exit' ftp.gnu.org # OK (fixed)

However, I think the first case worked on 0.1 out of sheer memory-layout
chance, because valgrind shows errors on both versions.

What makes it crash or not may even depend on the length of the output
(and thus the contents of the remote server). And I have sometimes seen
"lftp: RateLimit.cc:30: void RateLimit::AddXfer(int): Assertion
`xfer_number>=0' failed." and other times only "Segmentation fault". But
valgrind should reliably show that corruption happened whether it
crashes in practice or not.

With 4.8.1-1ubuntu0.1:
$ valgrind lftp -e 'connect sftp://10.0.2.2 -u nicolas,longpassword42;ls /tmp;exit'
[trim directory listing]
==4276== Invalid read of size 4
==4276==    at 0x2184B0: RateLimit::~RateLimit() (in /usr/bin/lftp)
==4276==    by 0x218B18: xmap_p<RateLimit>::~xmap_p() (in /usr/bin/lftp)
==4276==    by 0x6224160: __run_exit_handlers (exit.c:108)
==4276==    by 0x6224259: exit (exit.c:139)
==4276==    by 0x6202BFD: (below main) (libc-start.c:344)
==4276==  Address 0x8053cd0 is 16 bytes inside a block of size 88 free'd
==4276==    at 0x4C3323B: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4276==    by 0x218B25: xmap_p<RateLimit>::~xmap_p() (in /usr/bin/lftp)
==4276==    by 0x6224160: __run_exit_handlers (exit.c:108)
==4276==    by 0x6224259: exit (exit.c:139)
==4276==    by 0x6202BFD: (below main) (libc-start.c:344)
==4276==  Block was alloc'd at
==4276==    at 0x4C3217F: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4276==    by 0x218A09: RateLimit::init(RateLimit::level_e, char const*) (in /usr/bin/lftp)
==4276==    by 0x218A2C: RateLimit::init(RateLimit::level_e, char const*) (in /usr/bin/lftp)
==4276==    by 0x211018: SFtp::Do() (in /usr/bin/lftp)
==4276==    by 0x1A97C4: SMTask::ScheduleThis() (in /usr/bin/lftp)
==4276==    by 0x1A99D0: SMTask::Schedule() (in /usr/bin/lftp)
==4276==    by 0x16614C: Job::WaitDone() (in /usr/bin/lftp)
==4276==    by 0x15CBE3: main (in /usr/bin/lftp)
==4276== 
==4276== Invalid read of size 8
==4276==    at 0x2184B5: RateLimit::~RateLimit() (in /usr/bin/lftp)
==4276==    by 0x218B18: xmap_p<RateLimit>::~xmap_p() (in /usr/bin/lftp)
==4276==    by 0x6224160: __run_exit_handlers (exit.c:108)
==4276==    by 0x6224259: exit (exit.c:139)
==4276==    by 0x6202BFD: (below main) (libc-start.c:344)
==4276==  Address 0x8053cc8 is 8 bytes inside a block of size 88 free'd
==4276==    at 0x4C3323B: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4276==    by 0x218B25: xmap_p<RateLimit>::~xmap_p() (in /usr/bin/lftp)
==4276==    by 0x6224160: __run_exit_handlers (exit.c:108)
==4276==    by 0x6224259: exit (exit.c:139)
==4276==    by 0x6202BFD: (below main) (libc-start.c:344)
==4276==  Block was alloc'd at
==4276==    at 0x4C3217F: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4276==    by 0x218A09: RateLimit::init(RateLimit::level_e, char const*) (in /usr/bin/lftp)
==4276==    by 0x218A2C: RateLimit::init(RateLimit::level_e, char const*) (in /usr/bin/lftp)
==4276==    by 0x211018: SFtp::Do() (in /usr/bin/lftp)
==4276==    by 0x1A97C4: SMTask::ScheduleThis() (in /usr/bin/lftp)
==4276==    by 0x1A99D0: SMTask::Schedule() (in /usr/bin/lftp)
==4276==    by 0x16614C: Job::WaitDone() (in /usr/bin/lftp)
==4276==    by 0x15CBE3: main (in /usr/bin/lftp)

The 4.8.1-1ubuntu0.2 valgrind trace appears to be the same.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to lftp in Ubuntu.
https://bugs.launchpad.net/bugs/1904601

Title:
  lftp 4.8.1 crashes upon exit

Status in lftp package in Ubuntu:
  Confirmed

Bug description:
  Release: Ubuntu 18.04.5 LTS
  Package: 4.8.1-1ubuntu0.2

  lftp 4.8.1 and 4.8.2 have a known bug where it will crash upon exit.
  This bug was fixed on Oct 3, 2017 and is included in lftp 4.8.3.

  This is the error reported on the console:
  RateLimit.cc:30: void RateLimit::AddXfer(int): Assertion `xfer_number>=0' failed.

  Here is the commit that addresses the issue:
  https://github.com/lavv17/lftp/commit/8ac64e9d664270d67fa4b8f75186af0884c030f0

  Currently lftp is not usable in scripts due to the segfault / core
  dump.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lftp/+bug/1904601/+subscriptions

More information about the foundations-bugs mailing list