Bug#973052: unbound unaccountably crashes inside libevent (Assertion nread >= 0 failed in evmap_io_del_)

Tue, 27 Oct 2020 09:03:27 -0700 

Package: unbound
Version: 1.9.0-2
Control: forwarded -1 https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4227
Control: tags -1 + patch

On a debian buster amd64 system running unbound 1.9.0-2, i see unbound
crash with the following error:

    unbound[193]: [err] evmap.c:381: Assertion nread >= 0 failed in 
evmap_io_del_

This appears similar to a bug reported upstream at:

    https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4227

where the error message is reported as:

    vmap.c:367: Assertion nread >= 0 failed in evmap_io_del

The error message i saw is not exactly the same as the one in the
upstream bug, since it's in evmap.c:381, and not vmap.c:367 and
evmap_io_del_ instead of evmap_io_del (no underscore) -- but this could
be due either to an error in the upstream bug report (copied one
character too few at the beginning and end of the error message), and/or
due to a different version of libevent, which is where the evmap_io_del_
function is defined in debian (and contains "EVUTIL_ASSERT(nread >=
0);").

The upstream patch from the bugtracker looks something like the attached
patch, which appears to already be present in 1.9.3, but isn't in 1.9.0
in buster.

I can't confirm that this resolves the problem, because i only saw the
problem once so far, but it seems plausible that we might want to apply
it out of precaution.

        --dkg


--- a/services/listen_dnsport.c	(revision 5121)
+++ b/services/listen_dnsport.c	(working copy)
@@ -1636,10 +1636,12 @@
 	
 	if(wr) {
 		req->cp->tcp_is_reading = 0;
+		comm_point_stop_listening(req->cp);
 		comm_point_start_listening(req->cp, -1,
 			req->cp->tcp_timeout_msec);
 	} else if(rd) {
 		req->cp->tcp_is_reading = 1;
+		comm_point_stop_listening(req->cp);
 		comm_point_start_listening(req->cp, -1,
 			req->cp->tcp_timeout_msec);
 		/* and also read it (from SSL stack buffers), so
@@ -1647,6 +1649,7 @@
 		 * the TLS frame is sitting in the buffers. */
 		req->read_again = 1;
 	} else {
+		comm_point_stop_listening(req->cp);
 		comm_point_start_listening(req->cp, -1,
 			req->cp->tcp_timeout_msec);
 		comm_point_listen_for_rw(req->cp, 0, 0);
@@ -1759,6 +1762,7 @@
 		 * clear to write to */
 	send_it:
 		c->tcp_is_reading = 0;
+		comm_point_stop_listening(c);
 		comm_point_start_listening(c, -1, c->tcp_timeout_msec);
 		return;
 	}
Index: util/netevent.c
===================================================================
--- a/util/netevent.c	(revision 5121)
+++ b/util/netevent.c	(working copy)
@@ -989,10 +989,10 @@
 		c->tcp_is_reading = 1;
 	c->tcp_byte_count = 0;
 	/* switch from listening(write) to listening(read) */
-	comm_point_stop_listening(c);
 	if(c->tcp_req_info) {
 		tcp_req_info_handle_writedone(c->tcp_req_info);
 	} else {
+		comm_point_stop_listening(c);
 		comm_point_start_listening(c, -1, -1);
 	}
 }
@@ -1006,11 +1006,11 @@
 	if(c->tcp_do_toggle_rw)
 		c->tcp_is_reading = 0;
 	c->tcp_byte_count = 0;
-	if(c->type == comm_tcp)
-		comm_point_stop_listening(c);
 	if(c->tcp_req_info) {
 		tcp_req_info_handle_readdone(c->tcp_req_info);
 	} else {
+		if(c->type == comm_tcp)
+			comm_point_stop_listening(c);
 		fptr_ok(fptr_whitelist_comm_point(c->callback));
 		if( (*c->callback)(c, c->cb_arg, NETEVENT_NOERROR, &c->repinfo) ) {
 			comm_point_start_listening(c, -1, c->tcp_timeout_msec);

Attachment: signature.asc
Description: PGP signature

Reply via email to