View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002367GNUnettransport servicepublic2012-05-23 09:532024-05-03 13:59
ReporterMatthias Wachs Assigned ToMatthias Wachs  
PrioritynormalSeveritycrashReproducibilityhave not tried
Status closedResolutionfixed 
Product VersionGit master 
Target Version0.9.3Fixed in Version0.9.3 
Summary0002367: Use after free setup_neighbour (gnunet-service-transport_neighbours.c:1589)
DescriptionRevision 21560 on gnunet9@gnunet.org

==17970== Invalid read of size 8
==17970== at 0x40A4C0: setup_neighbour (gnunet-service-transport_neighbours.c:1589)
==17970== by 0x40BBA4: GST_neighbours_handle_connect (gnunet-service-transport_neighbours.c:2056)
==17970== by 0x403F67: plugin_env_receive_callback (gnunet-service-transport.c:260)
==17970== by 0xA258FF6: handle_tcp_data (plugin_transport_tcp.c:1940)
==17970== by 0x526E7B1: GNUNET_SERVER_inject (server.c:891)
==17970== by 0x526F87F: client_message_tokenizer_callback (server.c:1098)
==17970== by 0x5270061: GNUNET_SERVER_mst_receive (server_mst.c:224)
==17970== by 0x526F2C7: process_mst (server.c:961)
==17970== by 0x526F793: process_incoming (server.c:1041)
==17970== by 0x524BEE1: receive_ready (connection.c:1055)
==17970== by 0x526D0FF: GNUNET_SCHEDULER_run (scheduler.c:602)
==17970== by 0x5276088: GNUNET_SERVICE_run (service.c:1773)
==17970== Address 0xc66f3b8 is 312 bytes inside a block of size 424 free'd
==17970== at 0x4028AAE: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17970== by 0xA25659C: session_disconnect_it (plugin_transport_tcp.c:1362)
==17970== by 0x5253AAC: GNUNET_CONTAINER_multihashmap_get_multiple (container_multihashmap.c:485)
==17970== by 0xA257A06: tcp_plugin_disconnect (plugin_transport_tcp.c:1389)
==17970== by 0x408CE4: free_neighbour (gnunet-service-transport_neighbours.c:889)
==17970== by 0x40BB9C: GST_neighbours_handle_connect (gnunet-service-transport_neighbours.c:2055)
==17970== by 0x403F67: plugin_env_receive_callback (gnunet-service-transport.c:260)
==17970== by 0xA258FF6: handle_tcp_data (plugin_transport_tcp.c:1940)
==17970== by 0x526E7B1: GNUNET_SERVER_inject (server.c:891)
==17970== by 0x526F87F: client_message_tokenizer_callback (server.c:1098)
==17970== by 0x5270061: GNUNET_SERVER_mst_receive (server_mst.c:224)
==17970== by 0x526F2C7: process_mst (server.c:961)
TagsNo tags attached.

Relationships

has duplicate 0002369 closedMatthias Wachs Use after free in GST_blacklist_test_allowed (gnunet-service-transport_blacklist.c:758) 
has duplicate 0002368 closedMatthias Wachs Use after free in GST_neighbours_handle_connect (gnunet-service-transport_neighbours.c:2058) 

Activities

Matthias Wachs

2012-05-23 13:26

reporter   ~0005935

Issue in TCP plugin:

calls plugin_env_receive_callback with session that was freed before.

setup_neighbour is the first trying to access the memory, so crash here.

Matthias Wachs

2012-05-24 13:45

reporter   ~0005940

bug that solved the issue: 0002374

Issue History

Date Modified Username Field Change
2012-05-23 09:53 Matthias Wachs New Issue
2012-05-23 09:53 Matthias Wachs Status new => assigned
2012-05-23 09:53 Matthias Wachs Assigned To => Matthias Wachs
2012-05-23 09:55 Matthias Wachs Severity minor => crash
2012-05-23 13:26 Matthias Wachs Note Added: 0005935
2012-05-23 13:26 Matthias Wachs Category transport service => TCP transport
2012-05-23 13:37 Matthias Wachs Relationship added related to 0002369
2012-05-23 13:38 Matthias Wachs Relationship deleted related to 0002369
2012-05-23 13:38 Matthias Wachs Relationship added has duplicate 0002369
2012-05-23 13:38 Matthias Wachs Relationship added has duplicate 0002368
2012-05-24 13:45 Matthias Wachs Note Added: 0005940
2012-05-24 13:45 Matthias Wachs Status assigned => resolved
2012-05-24 13:45 Matthias Wachs Resolution open => fixed
2012-05-27 18:33 Christian Grothoff Product Version => Git master
2012-05-27 18:33 Christian Grothoff Fixed in Version => 0.9.3
2012-05-27 18:33 Christian Grothoff Target Version => 0.9.3
2012-06-02 19:15 Christian Grothoff Status resolved => closed
2024-05-03 13:59 Christian Grothoff Category TCP transport => transport service