Created attachment 57846 [details] It's what I was going to cut-and-paste into your "Details" Version: unspecified OS: Linux I'm running ktorrent-4.0.5.tar.xz and libktorrent-1.0.5-3.tar.xz on a small embedded processor (a SheevaPlug) using ARM Slackware (see ftp://ftp.armedslack.org/armedslack/armedslack-current). It doesn't run more than a couple of hours without a segment fault. Program received signal SIGSEGV, Segmentation fault. 0x41d0866c in memcpy () from /lib/libc.so.6 (gdb) bt #0 0x41d0866c in memcpy () from /lib/libc.so.6 #1 0x00000000 in ?? () libktorrent-1.0.5-3/src/download/chunkdownload.cpp::ChunkDownload::piece(const Piece & p,bool & ok) calls updateHash() with data length of 1..0x4000. Most of the time it's 0x4000 but sometimes it's shorter (at the end of file?). But by the time it gets to libktorrent-1.0.5-3/src/util/sha1hashgen.cpp::SHA1HashGen::update(const Uint8* data,Uint32 len) the data length is always 0x4000. The call to hash->update(ba) eventually calls memcpy() and sometimes copying from the SRC address runs off the end of the data segment causing a fault. Reproducible: Always
Created attachment 57869 [details] test code and logfile showing problems in ChunkDownload::updateHash()
Interesting, this bug was fixed in libktorrent 1.1beta1, but I did never quite got to the bottom of this issue. I think however your analysis is not correct, even though you have made me understand the problem completely. The problem is that the Piece parameter of ChunkDownload::piece is incomplete. The Piece should be a piece of 16K long, but it is only 0xD bytes. It should be 16K long because piece 0x79 is not the last piece (0x7f would be the last if num is 0x80). This 0xD bytes long piece is then put into a PieceData object which is put in the piece_data array. We then call updateHash, which then wrongfully assumes that the PieceData object is the entire piece, but there is only 0xD bytes in it. And this then directly leads to the segmentation fault, when the hash is being calculated. What I have fixed in 1.1 is the crash, but the initial problem is still there. A situation like this would lead to the calculated hash not matching the one specified in the torrent, and the chunk would have to be downloaded again. Either ktorrent is requesting a piece with the wrong size, or another peer is sending back a piece of the wrong length in reply to a request of ktorrent. Anyway a big thanks for looking into this, now I finally understand what is going wrong.
Git commit b3cf06c2eb97303c746aed0759f930691002cee0 by Joris. Committed on 13/03/2011 at 11:07. Pushed by guisson into branch 'master'. Fix root cause of SHA1HashGen crashes in 1.0 series BUG: 268162 M +1 -0 ChangeLog M +2 -1 src/download/chunkdownload.cpp http://commits.kde.org/libktorrent/b3cf06c2eb97303c746aed0759f930691002cee0
Git commit 904864fe28fa4ad859d527f1b672444a2bb93fa4 by Joris. Committed on 13/03/2011 at 11:07. Pushed by guisson into branch '1.1'. Fix root cause of SHA1HashGen crashes in 1.0 series CCBUG: 268162 M +1 -0 ChangeLog M +2 -1 src/download/chunkdownload.cpp http://commits.kde.org/libktorrent/904864fe28fa4ad859d527f1b672444a2bb93fa4
*** Bug 270081 has been marked as a duplicate of this bug. ***
*** Bug 270234 has been marked as a duplicate of this bug. ***
*** Bug 270513 has been marked as a duplicate of this bug. ***
*** Bug 271116 has been marked as a duplicate of this bug. ***
*** Bug 272937 has been marked as a duplicate of this bug. ***
*** Bug 273240 has been marked as a duplicate of this bug. ***
*** Bug 273789 has been marked as a duplicate of this bug. ***
*** Bug 274114 has been marked as a duplicate of this bug. ***
*** Bug 274211 has been marked as a duplicate of this bug. ***
*** Bug 274602 has been marked as a duplicate of this bug. ***
*** Bug 275380 has been marked as a duplicate of this bug. ***
*** Bug 275847 has been marked as a duplicate of this bug. ***
*** Bug 276297 has been marked as a duplicate of this bug. ***
*** Bug 277490 has been marked as a duplicate of this bug. ***
*** Bug 277331 has been marked as a duplicate of this bug. ***
*** Bug 278416 has been marked as a duplicate of this bug. ***
*** Bug 278911 has been marked as a duplicate of this bug. ***
*** Bug 278888 has been marked as a duplicate of this bug. ***
*** Bug 280281 has been marked as a duplicate of this bug. ***
*** Bug 280358 has been marked as a duplicate of this bug. ***
*** Bug 280472 has been marked as a duplicate of this bug. ***
*** Bug 280684 has been marked as a duplicate of this bug. ***
*** Bug 280675 has been marked as a duplicate of this bug. ***
*** Bug 280660 has been marked as a duplicate of this bug. ***
*** Bug 280597 has been marked as a duplicate of this bug. ***
*** Bug 280900 has been marked as a duplicate of this bug. ***
*** Bug 280803 has been marked as a duplicate of this bug. ***
*** Bug 282220 has been marked as a duplicate of this bug. ***
*** Bug 283406 has been marked as a duplicate of this bug. ***
*** Bug 288119 has been marked as a duplicate of this bug. ***
*** Bug 297647 has been marked as a duplicate of this bug. ***
*** Bug 297790 has been marked as a duplicate of this bug. ***
*** Bug 300906 has been marked as a duplicate of this bug. ***