silc-client-1.1.4 memory corruption

Skywing Skywing at valhallalegends.com
Fri Apr 4 17:30:45 CEST 2008 

This is the same problem I've been having (reported earlier).  There seems to be a double dereference of a client object on an unexpected server disconnect which leads to heap corruption earlier, or at least, that's what my current line of investigation shows.  Was in the middle of writing up a fix for it, but haven't had a chance to finish it yet.

- S

-----Original Message-----
From: silc-devel-bounces at lists.silcnet.org [mailto:silc-devel-bounces at lists.silcnet.org] On Behalf Of Sami Farin
Sent: Friday, April 04, 2008 11:29 AM
To: SILC-devel Mailing List
Subject: silc-client-1.1.4 memory corruption

x86_64 arch, Linux 2.6.24.4, glibc-2.7.90-7 (Fedora).

Frame 3 shows items=47009695160704 but that is obviously wrong.

segfaulted at 0x00002ac14bff4171

#0  0x00002ac14bff4171 in malloc_consolidate () from /lib64/libc.so.6
#1  0x00002ac14bff6401 in _int_malloc () from /lib64/libc.so.6
#2  0x00002ac14bff804f in calloc () from /lib64/libc.so.6
#3  0x000055555563f789 in silc_calloc (items=47009695160704, size=1096) at silcmemory.c:47
#4  0x0000555555610878 in silc_client_add_client (client=0x555555a77940, conn=0x555555b361a0,
    nickname=0x555555ba7f40 "e", username=0x555555b70610 "", userinfo=0x0, id=0x555555bb6ab0,
    mode=0) at client_entry.c:789
#5  0x0000555555610bc6 in silc_client_get_client (client=0x555555a77940, conn=0x555555b361a0,
    client_id=0x7fff52151100) at client_entry.c:1045
#6  0x0000555555618183 in silc_client_notify_join (fsm=0x555555b4b4e0,
    fsm_context=0x555555b361a0, state_context=0x555555bdf350) at client_notify.c:391
#7  0x000055555564e5c6 in silc_fsm_run (schedule=<value optimized out>,
    app_context=<value optimized out>, type=<value optimized out>, fd=1438058000, context=0x0)
    at silcfsm.c:429
#8  0x0000555555609149 in silc_client_packet_receive (engine=<value optimized out>,
    stream=<value optimized out>, packet=0x555555b171a0,
    callback_context=<value optimized out>, stream_context=<value optimized out>)
    at client.c:120
#9  0x000055555563553d in silc_packet_dispatch (packet=0x555555b171a0) at silcpacket.c:2006 #10 0x00005555556399cc in silc_packet_read_process (stream=0x555555b369e0)
    at silcpacket.c:2317
#11 0x000055555563a374 in silc_packet_stream_io (stream=<value optimized out>,
    status=<value optimized out>, context=<value optimized out>) at silcpacket.c:438
#12 0x0000555555642568 in silc_schedule_dispatch_fd (schedule=0x555555b2e820)
    at silcschedule.c:61
#13 0x00005555556433d5 in silc_schedule_iterate (schedule=0x555555b2e820, timeout_usecs=0)
    at silcschedule.c:455
#14 0x0000555555643512 in silc_schedule_one (schedule=0x555555b2e820, timeout_usecs=0)
    at silcschedule.c:484
#15 0x00005555555c9823 in my_silc_scheduler_fd (source=<value optimized out>, condition=1096,
    data=0x555555ba7f40) at silc-core.c:91
#16 0x00002ac14bab1373 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#17 0x00002ac14bab4bad in g_main_context_iterate () from /lib64/libglib-2.0.so.0
#18 0x00002ac14bab4d5c in g_main_context_iteration () from /lib64/libglib-2.0.so.0
#19 0x00005555555a43bc in main (argc=2, argv=0x7fff52151978) at silc.c:376

(gdb) x 47009695160704
0x2ac14c2e5980 <main_arena>:    0x00000001



Running silc with valgrind results into this:

==1869== Process terminating with default action of signal 4 (SIGILL) ==1869==  Illegal opcode at address 0xFE5D5
==1869==    at 0xFE5D5: silc_atomic_add_int8 (silcatomic.h:793)
==1869==    by 0xFED8E: silc_packet_stream_ref (silcpacket.c:1155)
==1869==    by 0xFE893: silc_packet_stream_link_va (silcpacket.c:1073)
==1869==    by 0xFEBD4: silc_packet_stream_link (silcpacket.c:1089)
==1869==    by 0x14B4A9: silc_ske_initiator (silcske.c:1842)
==1869==    by 0xD6C6B: silc_client_st_connect_key_exchange
(client_connect.c:516)
==1869==    by 0x10BB23: silc_fsm_run (silcfsm.c:429)
==1869==    by 0x10B6D6: silc_fsm_start_sync (silcfsm.c:249)
==1869==    by 0xCAA5D: silc_client_connection_st_run (client.c:268)
==1869==    by 0x10BB23: silc_fsm_run (silcfsm.c:429)
==1869==    by 0x10B8B9: silc_fsm_continue_sync (silcfsm.c:309)
==1869==    by 0x10C509: silc_fsm_signal (silcfsm.c:689)
==1869==

Now running under gdb, silc compiled with -O0 -ggdb3 .

--

More information about the silc-devel mailing list