NetBSD Problem Report #44594

From www@NetBSD.org  Thu Feb 17 17:54:57 2011
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id E171763B11D
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 17 Feb 2011 17:54:56 +0000 (UTC)
Message-Id: <20110217175456.3721563B100@www.NetBSD.org>
Date: Thu, 17 Feb 2011 17:54:56 +0000 (UTC)
From: M.Drochner@fz-juelich.de
Reply-To: M.Drochner@fz-juelich.de
To: gnats-bugs@NetBSD.org
Subject: kernel zlib reports false errors on decompression
X-Send-Pr-Version: www-1.0

>Number:         44594
>Category:       kern
>Synopsis:       kernel zlib reports false errors on decompression
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 17 17:55:00 +0000 2011
>Last-Modified:  Fri May 27 04:08:27 +0000 2011
>Originator:     Matthias Drochner
>Release:        current
>Organization:
FZJ
>Environment:
NetBSD zelz27 5.99.45 NetBSD 5.99.45 (MIST+MP+MODS) #220: Thu Feb 17 17:44:37 ME
T 2011  drochner@zelz27:/home/drochner/netbsd/work.src.usbdev/sys/arch/i386/comp
ile/MIST+MP+MODS i386
>Description:
The inflate() function in sys/net/zlib.c reports a Z_BUF_ERROR (-5)
sometimes after a successful decompression. A condition for this
seems to be that the decompressed data end exactly at the end
of the output buffer.
This caused sporadic problems with FAST_IPSEC's IPCOMP, but
other clients might be affected too.
>How-To-Repeat:
I'll attach a small test program. Build against the kernel zlib code:
mkdir tmpdir
cd tmpdir
cp .../compbug.c .
cp ${BSDSRCDIR}/sys/net/zlib.* .
cc -I. compbug.c zlib.c
./a.out

To test against system libz:
cc compbug.c -lz
./a.out
>Fix:
Either hunt it down in the current code, or update to a newer
version.

>Release-Note:

>Audit-Trail:
From: Matthias Drochner <M.Drochner@fz-juelich.de>
To: <gnats-bugs@NetBSD.org>
Cc: 
Subject: Re: kern/44594: kernel zlib reports false errors on decompression 
Date: Thu, 17 Feb 2011 19:19:30 +0100

 --==_Exmh_792027469890
 Content-Type: text/plain; charset="us-ascii"
 Content-Transfer-Encoding: quoted-printable


 Here is the test program.


 ---------------------------------------------------------------------------=
 ---------------------
 ---------------------------------------------------------------------------=
 ---------------------
 Forschungszentrum Juelich GmbH
 52425 Juelich
 Sitz der Gesellschaft: Juelich
 Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
 Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
 Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
 Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
 Prof. Dr. Sebastian M. Schmidt
 ---------------------------------------------------------------------------=
 ---------------------
 ---------------------------------------------------------------------------=
 ---------------------

 --==_Exmh_792027469890
 Content-Type: text/plain; name="compbug.c"; charset="us-ascii"
 Content-Description: compbug.c
 Content-Disposition: attachment; filename="compbug.c"

 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <err.h>
 #include "zlib.h"

 /* This unpacks into 1508, exactly 52*29. */
 unsigned char text[29] = {
 	0xe3,0x60,0xa8,0x9d,0x5e,0xf9,0x9d,0x81,0xc1,0x37,
 	0x56,0xc5,0x8f,0x81,0xb7,0x6f,0x07,0xc3,0x28,0x18,
 	0x05,0xa3,0x60,0x14,0x8c,0x82,0x61,0x03,0x00
 };
 #define FACTOR 4 /* fails with 1, 2, 4, 13, 26, 52 */

 static void *
 myalloc(void *o, unsigned int n, unsigned int s)
 {

 	return calloc(n, s);
 }
 static void
 myfree(void *o, void *p)
 {

 	free(p);
 }

 int
 main()
 {
 	int res, nbuf;
 	unsigned char buf1[10000];
 	z_stream z;

 	memset(&z, 0, sizeof(z));
 	z.next_in = text;
 	z.avail_in = sizeof(text);
 	z.zalloc = myalloc;
 	z.zfree = myfree;
 	z.opaque = 0;
 	z.next_out = buf1;
 	z.avail_out = FACTOR * sizeof(text);
 	res = inflateInit2(&z, -15);
 	if (res != Z_OK)
 		errx(1, "inflateInit: %d", res);
 	nbuf = 1;
 	for(;;) {
 		res = inflate(&z, Z_SYNC_FLUSH);
 		if (res != Z_OK)
 			break;
 		if (z.avail_out == 0) {
 			z.next_out = buf1;
 			z.avail_out = FACTOR * sizeof(text);
 			nbuf++;
 		}
 	}
 	if (res != Z_STREAM_END) {
 		printf("ai=%d ao=%d bufs=%d out=%ld\n",
 			z.avail_in, z.avail_out, nbuf, z.total_out);
 		errx(1, "inflate: %d", res);
 	}
 	printf("got %ld bytes in %d bufs\n", z.total_out, nbuf);
 	return 0;
 }

 --==_Exmh_792027469890--

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.