View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002336 | GNUnet | transport service | public | 2012-05-10 00:02 | 2024-05-03 13:58 |
| Reporter | Christian Grothoff | Assigned To | Matthias Wachs | ||
| Priority | urgent | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | Git master | ||||
| Target Version | 0.9.3 | Fixed in Version | 0.9.3 | ||
| Summary | 0002336: UDP use-after-free on disconnect neighbour | ||||
| Description | From gnunet9@gnunet.org: =15332== Invalid write of size 8 ==15332== at 0x9E48433: process_inbound_tokenized_messages (plugin_transport_udp.c:1235) ==15332== by 0x526FC7E: GNUNET_SERVER_mst_receive (server_mst.c:264) ==15332== by 0x9E4A384: process_udp_message (plugin_transport_udp.c:1307) ==15332== by 0x9E4AA91: udp_select_read (plugin_transport_udp.c:1458) ==15332== by 0x9E4BBBB: udp_plugin_select (plugin_transport_udp.c:1845) ==15332== by 0x526D0FF: GNUNET_SCHEDULER_run (scheduler.c:602) ==15332== by 0x5275E78: GNUNET_SERVICE_run (service.c:1773) ==15332== by 0x404228: main (gnunet-service-transport.c:637) ==15332== Address 0x69e8c70 is 80 bytes inside a block of size 136 free'd ==15332== at 0x4028AAE: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==15332== by 0x9E480C5: disconnect_and_free_it (plugin_transport_udp.c:685) ==15332== by 0x5253AAC: GNUNET_CONTAINER_multihashmap_get_multiple (container_multihashmap.c:485) ==15332== by 0x409ACC: disconnect_neighbour (gnunet-service-transport_neighbours.c:944) ==15332== by 0x40C7EB: GST_neighbours_handle_disconnect_message (gnunet-service-transport_neighbours.c:2402) ==15332== by 0x40406F: plugin_env_receive_callback (gnunet-service-transport.c:266) ==15332== by 0x9E4842E: process_inbound_tokenized_messages (plugin_transport_udp.c:1228) ==15332== by 0x526FC7E: GNUNET_SERVER_mst_receive (server_mst.c:264) ==15332== by 0x9E4A384: process_udp_message (plugin_transport_udp.c:1307) ==15332== by 0x9E4AA91: udp_select_read (plugin_transport_udp.c:1458) ==15332== by 0x9E4BBBB: udp_plugin_select (plugin_transport_udp.c:1845) ==15332== by 0x526D0FF: GNUNET_SCHEDULER_run (scheduler.c:602) ==15332== | ||||
| Additional Information | Looks to me like the "disconnect_neighbour" call needs to be moved into a new task to avoid conflicting with the on-stack MST. | ||||
| Tags | No tags attached. | ||||
|
|
Just in case, this one is still present in SVN 21400: ==29417== Invalid write of size 8 ==29417== at 0x9E48433: process_inbound_tokenized_messages (plugin_transport_udp.c:1235) ==29417== by 0x526FE8E: GNUNET_SERVER_mst_receive (server_mst.c:264) ==29417== by 0x9E4A384: process_udp_message (plugin_transport_udp.c:1307) ==29417== by 0x9E4AA91: udp_select_read (plugin_transport_udp.c:1458) ==29417== by 0x9E4BBBB: udp_plugin_select (plugin_transport_udp.c:1845) ==29417== by 0x526D0FF: GNUNET_SCHEDULER_run (scheduler.c:602) ==29417== by 0x5276088: GNUNET_SERVICE_run (service.c:1773) ==29417== by 0x404228: main (gnunet-service-transport.c:637) ==29417== Address 0xa535af0 is 80 bytes inside a block of size 136 free'd ==29417== at 0x4028AAE: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==29417== by 0x9E480C5: disconnect_and_free_it (plugin_transport_udp.c:685) ==29417== by 0x5253AAC: GNUNET_CONTAINER_multihashmap_get_multiple (container_multihashmap.c:485) ==29417== by 0x409ACC: disconnect_neighbour (gnunet-service-transport_neighbours.c:944) ==29417== by 0x40C7EB: GST_neighbours_handle_disconnect_message (gnunet-service-transport_neighbours.c:2402) ==29417== by 0x40406F: plugin_env_receive_callback (gnunet-service-transport.c:266) ==29417== by 0x9E4842E: process_inbound_tokenized_messages (plugin_transport_udp.c:1228) ==29417== by 0x526FE8E: GNUNET_SERVER_mst_receive (server_mst.c:264) ==29417== by 0x9E4A384: process_udp_message (plugin_transport_udp.c:1307) ==29417== by 0x9E4AA91: udp_select_read (plugin_transport_udp.c:1458) ==29417== by 0x9E4BBBB: udp_plugin_select (plugin_transport_udp.c:1845) ==29417== by 0x526D0FF: GNUNET_SCHEDULER_run (scheduler.c:602) = |
|
|
fixed in 21401. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2012-05-10 00:02 | Christian Grothoff | New Issue | |
| 2012-05-10 00:02 | Christian Grothoff | Status | new => assigned |
| 2012-05-10 00:02 | Christian Grothoff | Assigned To | => Matthias Wachs |
| 2012-05-10 00:27 | Christian Grothoff | Note Added: 0005847 | |
| 2012-05-10 10:41 | Matthias Wachs | Note Added: 0005851 | |
| 2012-05-10 10:42 | Matthias Wachs | Status | assigned => resolved |
| 2012-05-10 10:42 | Matthias Wachs | Resolution | open => fixed |
| 2012-05-10 10:56 | Christian Grothoff | Fixed in Version | => 0.9.3 |
| 2012-06-02 19:15 | Christian Grothoff | Status | resolved => closed |
| 2024-05-03 13:58 | Christian Grothoff | Category | UDP transport => transport service |
