silc-client-1.1.4 memory corruption

Sami Farin safari-silc at safari.iki.fi
Fri Apr 4 18:21:04 CEST 2008 

On Fri, Apr 04, 2008 at 10:30:45 -0500, Skywing wrote:
> This is the same problem I've been having (reported earlier).  There

I noticed it.

> seems to be a double dereference of a client object on an unexpected
> server disconnect which leads to heap corruption earlier, or at least,
> that's what my current line of investigation shows.  Was in the middle
> of writing up a fix for it, but haven't had a chance to finish it yet.

Running with efence, I got segfault.  Using free()d memory. 

#0  0x0000555555637dd8 in silc_client_command_call (client=0x2b7484245fc8, 
    conn=0x2b749dac4f70, command_line=0x2b75291f6fe4 "JOIN ipv4 -founder -auth")
    at command.c:495
#1  0x00005555555da4af in silc_queue_command_call (client=0x2b7484245fc8, 
    conn=0x2b749dac4f70, command_line=0x2b75291f6fe4 "JOIN ipv4 -founder -auth")
    at silc-cmdqueue.c:129
#2  0x00005555555d5cd6 in silc_command_exec (server=0x2b749ca40eb0, 
    command=0x5555556db768 "JOIN", args=0x2b75291f4fe0 "ipv4 -founder -auth")
    at silc-servers.c:607
#3  0x00005555555e681e in silc_channels_join (server=0x2b749ca40eb0, 
    channels=0x2b75291e6fec "ipv4 -founder -auth", automatic=0) at silc-channels.c:142
#4  0x0000555555608a40 in cmd_join (data=0x2b75289cafe9 "ipv4 -founder -auth", 
    server=0x2b749ca40eb0) at chat-commands.c:345
#5  0x0000555555605698 in signal_emit_real (rec=0x2b748401bfe0, params=3, va=0x7fff1525ed80, 
    first_hook=0x2b748c0c6fd8) at signals.c:242
#6  0x0000555555605921 in signal_emit (signal=0x2b75289ceff0 "command join", params=3)
    at signals.c:286
#7  0x00005555555ee632 in parse_command (command=0x2b74cee51fe1 "join ipv4 -founder -auth", 
    expand_aliases=1, server=0x2b749ca40eb0, item=0x0) at commands.c:899
#8  0x00005555555ee7bd in event_command (line=0x2b74cee51fe1 "join ipv4 -founder -auth", 
    server=0x2b749ca40eb0, item=0x0) at commands.c:945
#9  0x0000555555605698 in signal_emit_real (rec=0x2b7483726fe0, params=3, va=0x7fff1525f010, 
    first_hook=0x2b748c03ffd8) at signals.c:242
#10 0x0000555555605921 in signal_emit (signal=0x5555556c9c63 "send command", params=3)
    at signals.c:286
#11 0x000055555558e3ed in paste_send () at gui-readline.c:300
#12 0x000055555558e5b0 in paste_flush (send=1) at gui-readline.c:326
#13 0x000055555558e714 in paste_timeout (data=0x0) at gui-readline.c:364
#14 0x00002b747bacfb5d in g_timeout_dispatch () from /lib64/libglib-2.0.so.0
#15 0x00002b747bacf373 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#16 0x00002b747bad2bad in g_main_context_iterate () from /lib64/libglib-2.0.so.0
#17 0x00002b747bad2d5c in g_main_context_iteration () from /lib64/libglib-2.0.so.0
#18 0x00005555555a6651 in main (argc=1, argv=0x7fff1525f478) at silc.c:376

(gdb) p argc
$13 = 4
(gdb) p *cmd
$15 = {next = 0x0, conn = 0x0, thread = {next = 0x0, fsm_context = 0x0, schedule = 0x0, 
    event = 0x0, next_state = 0, state_context = 0x0, destructor = 0, 
    destructor_context = 0x0, u = {m = {threads = {value = 0}, lock = 0x0}, t = {fsm = 0x0, 
        event = 0x0}}, thread = 0, real_thread = 0, async_call = 0, finished = 0, 
    event_timedout = 0, synchronous = 0, next_later = 0, started = 0}, cmd = 0 '\0', 
  cmd_ident = 0, argc = 0, argv = 0x0, argv_lens = 0x0, argv_types = 0x0, reply_callbacks = {
    head = 0x0, tail = 0x0, current = 0x0, next_offset = 0, prev_offset = 0, prev_set = 0, 
    end_set = 0, count = 0}, status = 0 '\0', error = 0 '\0', context = 0x0, called = 0, 
  verbose = 0, resolved = 0}
(gdb) p cmd
$16 = (SilcClientCommandContext) 0x2b7529216f40
rax            0x2b7529216f40   47782201225024
rbx            0x2b75291eafec   47782201044972
rcx            0x1      1
rdx            0x1      1
rsi            0x1      1
rdi            0x2b747a5ce3c0   47779269108672
rbp            0x7fff1525ea40   0x7fff1525ea40
rsp            0x7fff1525e8e0   0x7fff1525e8e0
r8             0x2b75291f8000   47782201098240
r9             0x0      0
r10            0x2000   8192
r11            0x246    582
r12            0x2b74cee3af88   47780687228808
r13            0x2b747bd759b0   47779293911472
r14            0x1      1
r15            0x0      0
rip            0x555555637dd8   0x555555637dd8 <silc_client_command_call+1669>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
...snip...

# grep ^2b75291f /proc/3654/maps
2b75291f4000-2b75291f5000 rw-p 2b75291f4000 00:00 0 
2b75291f5000-2b75291f6000 ---p 2b75291f5000 00:00 0 
2b75291f6000-2b75291f7000 rw-p 2b75291f6000 00:00 0 
2b75291f7000-2b7529232000 ---p 2b75291f7000 00:00 0 <=== free()d -- I used EF_PROTECT_FREE=1

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.silcnet.org/pipermail/silc-devel/attachments/20080404/a35fbc29/attachment.bin

More information about the silc-devel mailing list