View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003112GNUnetcadet servicepublic2013-11-16 16:212013-12-24 20:54
ReporterLRN Assigned ToBart Polot  
PriorityurgentSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Product VersionGit master 
Target Version0.10.0Fixed in Version0.10.0 
Summary0003112: Use-after-free in get_next_hop
Descriptionsubj
Steps To ReproduceRun test_mesh_small_speed_reliable
Additional Information
Reading symbols from d:\progs\gnunet\lib\gnunet\libexec\gnunet-service-mesh.exe...done.
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 11364.0x2280]
0x00408fc1 in get_next_hop (c=0x2bf2928) at gnunet-service-mesh_connection.c:633
633         id = c->path->peers[c->own_pos + 1];
(gdb) bt
#0  0x00408fc1 in get_next_hop (c=0x2bf2928) at gnunet-service-mesh_connection.c:633
#1  0x00408fea in get_hop (c=0x2bf2928, fwd=1) at gnunet-service-mesh_connection.c:651
#2  0x0040fb52 in GMC_send_prebuilt_message (message=0x28fa84, c=0x2bf2928, fwd=1, cont=0x0, cont_cls=0x0) at gnunet-service-mesh_connection.c:2522
#3  0x0040b020 in GMC_handle_create (cls=0x0, peer=0x28fa64, message=0x28fa84) at gnunet-service-mesh_connection.c:1284
#4  0x69505644 in main_notify_handler (cls=0x14780d0, msg=0x28fa60) at core_api.c:936
#5  0x62b4411c in receive_task (cls=0x2bed558, tc=0x28fbf0) at client.c:589
#6  0x62b7f835 in run_ready (rs=0x2beea60, ws=0x2befa78) at scheduler.c:593
#7  0x62b800b1 in GNUNET_SCHEDULER_run (task=0x62b8bd78 <service_task>, task_cls=0x28fd98) at scheduler.c:808
#8  0x62b8cc47 in GNUNET_SERVICE_run (argc=3, argv=0x2bd8f40, service_name=0x426561 <__FUNCTION__.105172+1342> "mesh", options=GNUNET_SERVICE_OPTION_NONE, task=0x420207 <run>, task_cls=0x0) at service.c:1478
#9  0x004205b1 in main (argc=3, argv=0x2bd8f40) at gnunet-service-mesh.c:161
(gdb) p/x *c
$1 = {t = 0x0, fwd_fc = {c = 0x2bf2928, queue_n = 0x0, queue_max = 0x3, next_pid = 0x0, last_pid_sent = 0xffffffff, last_pid_recv = 0xffffffff, last_ack_sent = 0x0, last_ack_recv = 0x0, poll_task = 0x0,
    poll_time = {rel_value_us = 0xf4240}, poll_msg = 0x0, ack_msg = 0x0}, bck_fc = {c = 0x2bf2928, queue_n = 0x0, queue_max = 0x3, next_pid = 0x0, last_pid_sent = 0xffffffff, last_pid_recv = 0xffffffff,
    last_ack_sent = 0x0, last_ack_recv = 0x0, poll_task = 0x0, poll_time = {rel_value_us = 0xf4240}, poll_msg = 0x0, ack_msg = 0x0}, perf = 0x0, id = {bits = {0x51b03af, 0x533094d1, 0x5e4621f5, 0x1718c97e,
      0x70915e80, 0xbbaf5416, 0xe9141420, 0x37ede8c1, 0x2ba87a8c, 0x81ccb6ab, 0x60d72196, 0xfdf06d3d, 0x78e6c6bf, 0x7bf7d5f7, 0x29c4ef27, 0x8e466951}}, state = 0x1, path = 0x2bf38b0, own_pos = 0x1,
  fwd_maintenance_task = 0x31, bck_maintenance_task = 0x0, pending_messages = 0x1, destroy = 0x0}
(gdb) p *c->path
$2 = {next = 0xdf000c2, prev = 0xdf0adba, peers = 0xdf0adba, length = 233876922, score = 233876922}
(gdb) p/x *c->path
$3 = {next = 0xdf000c2, prev = 0xdf0adba, peers = 0xdf0adba, length = 0xdf0adba, score = 0xdf0adba}
TagsNo tags attached.

Activities

Bart Polot

2013-11-18 15:34

reporter   ~0007647

Fixed in r30769.

Bart Polot

2013-11-18 15:35

reporter   ~0007649

Wrong use after free bug closed.

Bart Polot

2013-11-18 19:58

reporter   ~0007652

Fixed in 30785.

Issue History

Date Modified Username Field Change
2013-11-16 16:21 LRN New Issue
2013-11-16 16:21 LRN Status new => assigned
2013-11-16 16:21 LRN Assigned To => Bart Polot
2013-11-16 16:26 Christian Grothoff Priority normal => urgent
2013-11-16 16:26 Christian Grothoff Product Version => Git master
2013-11-16 16:26 Christian Grothoff Target Version => 0.10.0
2013-11-18 15:34 Bart Polot Note Added: 0007647
2013-11-18 15:34 Bart Polot Status assigned => resolved
2013-11-18 15:34 Bart Polot Fixed in Version => Git master
2013-11-18 15:34 Bart Polot Resolution open => fixed
2013-11-18 15:35 Bart Polot Note Added: 0007649
2013-11-18 15:35 Bart Polot Status resolved => assigned
2013-11-18 19:58 Bart Polot Note Added: 0007652
2013-11-18 19:58 Bart Polot Status assigned => resolved
2013-12-08 23:57 Christian Grothoff Fixed in Version Git master => 0.10.0
2013-12-24 20:54 Christian Grothoff Status resolved => closed
2014-05-09 18:34 Christian Grothoff Category mesh service => cadet service