[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crash in sftp_readdir (git) - SOLVED


Hi,

Oh, after checking all mallocs it turned out to be an easy fix. :)
Please see the patch.

Vic

On Sun, 2009-10-11 at 14:09 +0800, Vic Lee wrote:
> Hi,
> 
> Actually samplessh also crash with the same behavior. Please see my
> session:
> 
> vic@vic-eeepc:~/git/libssh/build$ 
> vic@vic-eeepc:~/git/libssh/build$ ln -s ./samplessh ./sftp
> vic@vic-eeepc:~/git/libssh/build$ ./sftp -l "Vic Lee" -r 192.168.0.1
> supported auth methods: publickey, keyboard-interactive
> Additional SFTP extensions provided by the server:
> 	posix-rename@xxxxxxxxxxx, version: 1
> 	statvfs@xxxxxxxxxxx, version: 2
> 	fstatvfs@xxxxxxxxxxx, version: 2
> *** glibc detected *** ./sftp: free(): invalid next size (fast):
> 0x08594690 ***
> ======= Backtrace: =========
> /lib/i686/cmov/libc.so.6[0xb7e678f4]
> /lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7e69896]
> /home/vic/git/libssh/build/libssh/libssh.so.4[0xb8060456]
> /home/vic/git/libssh/build/libssh/libssh.so.4(sftp_symlink
> +0x2d9)[0xb80640e3]
> ./sftp(do_sftp+0x1b5)[0x804ad43]
> ./sftp(main+0x7cc)[0x804c18e]
> /lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e0f7a5]
> ./sftp[0x8049ff1]
> ======= Memory map: ========
> 08048000-0804d000 r-xp 00000000 08:11
> 231033     /home/vic/git/libssh/build/samplessh
> 0804d000-0804e000 rw-p 00005000 08:11
> 231033     /home/vic/git/libssh/build/samplessh
> 0858e000-085af000 rw-p 00000000 00:00 0          [heap]
> b7c00000-b7c21000 rw-p 00000000 00:00 0 
> b7c21000-b7d00000 ---p 00000000 00:00 0 
> b7d7d000-b7da7000 r-xp 00000000 08:01 54101      /lib/libgcc_s.so.1
> b7da7000-b7da8000 rw-p 00029000 08:01 54101      /lib/libgcc_s.so.1
> b7dba000-b7dc4000 r-xp 00000000 08:01
> 25124      /lib/i686/cmov/libnss_files-2.9.so
> b7dc4000-b7dc5000 r--p 00009000 08:01
> 25124      /lib/i686/cmov/libnss_files-2.9.so
> b7dc5000-b7dc6000 rw-p 0000a000 08:01
> 25124      /lib/i686/cmov/libnss_files-2.9.so
> b7dc6000-b7dcf000 r-xp 00000000 08:01
> 25136      /lib/i686/cmov/libnss_nis-2.9.so
> b7dcf000-b7dd0000 r--p 00008000 08:01
> 25136      /lib/i686/cmov/libnss_nis-2.9.so
> b7dd0000-b7dd1000 rw-p 00009000 08:01
> 25136      /lib/i686/cmov/libnss_nis-2.9.so
> b7dd1000-b7dd8000 r-xp 00000000 08:01
> 25116      /lib/i686/cmov/libnss_compat-2.9.so
> b7dd8000-b7dd9000 r--p 00006000 08:01
> 25116      /lib/i686/cmov/libnss_compat-2.9.so
> b7dd9000-b7dda000 rw-p 00007000 08:01
> 25116      /lib/i686/cmov/libnss_compat-2.9.so
> b7dda000-b7ddb000 rw-p 00000000 00:00 0 
> b7ddb000-b7dde000 r-xp 00000000 08:01
> 181030     /usr/lib/libgpg-error.so.0.4.0
> b7dde000-b7ddf000 rw-p 00002000 08:01
> 181030     /usr/lib/libgpg-error.so.0.4.0
> b7ddf000-b7df4000 r-xp 00000000 08:01
> 25140      /lib/i686/cmov/libpthread-2.9.so
> b7df4000-b7df5000 r--p 00014000 08:01
> 25140      /lib/i686/cmov/libpthread-2.9.so
> b7df5000-b7df6000 rw-p 00015000 08:01
> 25140      /lib/i686/cmov/libpthread-2.9.so
> b7df6000-b7df9000 rw-p 00000000 00:00 0 
> b7df9000-b7f51000 r-xp 00000000 08:01
> 25104      /lib/i686/cmov/libc-2.9.so
> b7f51000-b7f52000 ---p 00158000 08:01
> 25104      /lib/i686/cmov/libc-2.9.so
> b7f52000-b7f54000 r--p 00158000 08:01
> 25104      /lib/i686/cmov/libc-2.9.so
> b7f54000-b7f55000 rw-p 0015a000 08:01
> 25104      /lib/i686/cmov/libc-2.9.so
> b7f55000-b7f58000 rw-p 00000000 00:00 0 
> b7f58000-b7fca000 r-xp 00000000 08:01
> 185475     /usr/lib/libgcrypt.so.11.5.2
> b7fca000-b7fcd000 rw-p 00072000 08:01
> 185475     /usr/lib/libgcrypt.so.11.5.2
> b7fcd000-b7fe1000 r-xp 00000000 08:01
> 181408     /usr/lib/libz.so.1.2.3.3
> b7fe1000-b7fe2000 rw-p 00013000 08:01
> 181408     /usr/lib/libz.so.1.2.3.3
> b7fe2000-b7fe9000 r-xp 00000000 08:01
> 25134      /lib/i686/cmov/librt-2.9.so
> b7fe9000-b7fea000 r--p 00006000 08:01
> 25134      /lib/i686/cmov/librt-2.9.so
> b7fea000-b7feb000 rw-p 00007000 08:01
> 25134      /lib/i686/cmov/librt-2.9.so
> b7feb000-b7ffd000 r-xp 00000000 08:01
> 24592      /lib/i686/cmov/libresolv-2.9.so
> b7ffd000-b7ffe000 r--p 00011000 08:01
> 24592      /lib/i686/cmov/libresolv-2.9.so
> b7ffe000-b7fff000 rw-p 00012000 08:01
> 24592      /lib/i686/cmov/libresolv-2.9.so
> b7fff000-b8002000 rw-p 00000000 00:00 0 
> b8002000-b8017000 r-xp 00000000 08:01
> 25128      /lib/i686/cmov/libnsl-2.9.so
> b8017000-b8018000 r--p 00014000 08:01
> 25128      /lib/i686/cmov/libnsl-2.9.so
> b8018000-b8019000 rw-p 00015000 08:01
> 25128      /lib/i686/cmov/libnsl-2.9.so
> b8019000-b801b000 rw-p 00000000 00:00 0 
> b8028000-b8029000 rw-p 00000000 00:00 0 
> b8029000-b802d000 rw-p 00000000 00:00 0 
> b802d000-b806d000 r-xp 00000000 08:11
> 231080     /home/vic/git/libssh/build/libssh/libssh.so.4.0.0
> b806d000-b806e000 rw-p 00040000 08:11
> 231080     /home/vic/git/libssh/build/libssh/libssh.so.4.0.0
> b806e000-b8073000 rw-p 00000000 00:00 0 
> b8073000-b8074000 r-xp 00000000 00:00 0          [vdso]
> b8074000-b8090000 r-xp 00000000 08:01 18892      /lib/ld-2.9.so
> b8090000-b8091000 r--p 0001b000 08:01 18892      /lib/ld-2.9.so
> b8091000-b8092000 rw-p 0001c000 08:01 18892      /lib/ld-2.9.so
> bfb05000-bfb1a000 rw-p 00000000 00:00 0          [stack]
> Aborted
> vic@vic-eeepc:~/git/libssh/build$ 
> 
> Thanks,
> Vic
> 
> On Sun, 2009-10-11 at 08:03 +0800, Vic Lee wrote:
> > Hi,
> > 
> > I encountered permanent crash when calling sftp_readdir with the latest
> > git version. I am not quite sure how to fix it this time. This is what I
> > got in gdb, please help:
> > 
> > #0  0xb8080424 in __kernel_vsyscall ()
> > (gdb) up
> > #1  0xb75a23d0 in *__GI_raise (sig=6)
> >     at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> > 64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> > 	in ../nptl/sysdeps/unix/sysv/linux/raise.c
> > (gdb) 
> > #2  0xb75a5a85 in *__GI_abort () at abort.c:88
> > 88	abort.c: No such file or directory.
> > 	in abort.c
> > (gdb) 
> > #3  0xb75db2ed in __libc_message (do_abort=2, 
> >     fmt=0xb76b8328 "*** glibc detected *** %s: %s: 0x%s ***\n")
> >     at ../sysdeps/unix/sysv/linux/libc_fatal.c:173
> > 173	../sysdeps/unix/sysv/linux/libc_fatal.c: No such file or directory.
> > 	in ../sysdeps/unix/sysv/linux/libc_fatal.c
> > (gdb) 
> > #4  0xb75e58f4 in malloc_printerr (action=2, 
> >     str=0xb76b8374 "free(): invalid next size (fast)", ptr=0x853c9c8)
> >     at malloc.c:5994
> > 5994	malloc.c: No such file or directory.
> > 	in malloc.c
> > (gdb) 
> > #5  0xb75e7896 in *__GI___libc_free (mem=0x853c9c8) at malloc.c:3625
> > 3625	in malloc.c
> > (gdb) 
> > #6  0xb773f456 in status_msg_free (status=0x853c9c8)
> >     at /home/vic/git/libssh/libssh/sftp.c:774
> > 774	  SAFE_FREE(status);
> > (gdb) 
> > #7  0xb7740738 in sftp_readdir (sftp=0x8520b28, dir=0x8527990)
> >     at /home/vic/git/libssh/libssh/sftp.c:1323
> > 1323	            status_msg_free(status);
> > (gdb) 
> > #8  0x08075388 in remmina_sftp_window_on_opendir (window=0x8548820, 
> >     dir=0x807b1b6 ".", data=0x0) at remminasftpwindow.c:598
> > 598	    while ((sftpattr = sftp_readdir (window->sftp->sftp_sess,
> > sftpdir)))
> > (gdb) 
> > 
> > Vic
> > 
> > 
> > 
> 
> 
> 
From c10f834b94f32ed10aa7eb86ce0f31b3c79208fc Mon Sep 17 00:00:00 2001
From: Vic Lee <llyzs@xxxxxxx>
Date: Sun, 11 Oct 2009 14:44:40 +0800
Subject: [PATCH] Fix a memory corruption in parse_status_msg


Signed-off-by: Vic Lee <llyzs@xxxxxxx>
---
 libssh/sftp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libssh/sftp.c b/libssh/sftp.c
index cdeb9e2..46bcce3 100644
--- a/libssh/sftp.c
+++ b/libssh/sftp.c
@@ -733,7 +733,7 @@ static sftp_status_message parse_status_msg(sftp_message msg){
     return NULL;
   }
 
-  status = malloc(sizeof(struct sftp_message_struct));
+  status = malloc(sizeof(struct sftp_status_message_struct));
   if (status == NULL) {
     return NULL;
   }
-- 
1.6.3.3


Follow-Ups:
Re: Crash in sftp_readdir (git) - SOLVEDAndreas Schneider <mail@xxxxxxxxxxxx>
Re: Crash in sftp_readdir (git) - SOLVEDAris Adamantiadis <aris@xxxxxxxxxxxx>
References:
Crash in sftp_readdir (git)Vic Lee <llyzs@xxxxxxx>
Re: Crash in sftp_readdir (git)Vic Lee <llyzs@xxxxxxx>
Archive administrator: postmaster@lists.cynapses.org