martedì 18 giugno 2013

The printf recursive substitution trap (bug)

Working with embedded linux boards make me use systems that are often not so much up-to-dated.
Kernel is often dated, compiler is often dated, libraries are often dated.

On a system I'm using, the cross compiler is gcc 3.3.2 and the glibc version is 2.2.5.
On this system I've found a bug in the glibc printf family functions, quite difficult to track.

The bug seems to be caused by a recursive substitution in the printf arguments: in printf("%s", text), if the text string includes itself the string "%s" again, the program on my embedded system crashes (with a no more specified "Killed" message).

No help with core dump, strace and dbg: I had to track down step by step to find that the crash happens on a snprintf call, ONLY if the substitution argument string contains a "%s".

So, what I think happens (but I'm not 100% sure) is that the substitution is made recursively also on the second "%s" found, and the program is killed by the kernel OOM Killer (Out-Of-Memory Killer) because the resulting string can't be allocated.


Experimenting workarounds, I've found that the bug affects also the strcat functions (maybe it's based on sprintf). I had to use memcpy.

This bug is not present on another embedded system I'm using with a more recent glibc.

Nessun commento:

Posta un commento