View Issue Details

IDProjectCategoryView StatusLast Update
0004674GNUnetcadet servicepublic2018-06-07 00:24
ReportertgAssigned ToChristian Grothoff 
PriorityurgentSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Product VersionSVN HEAD 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0004674: CADET: use after free in GCC_debug()
Description-
Steps To Reproducetest_cadet_2_speed_reliable
Additional Information==23312== 1 errors in context 1 of 9:
==23312== Invalid read of size 8
==23312== at 0x118B78: GCT_2s (gnunet-service-cadet_tunnel.c:3466)
==23312== by 0x1257CB: GCC_2s (gnunet-service-cadet_connection.c:3613)
==23312== by 0x1258CF: GCC_debug (gnunet-service-cadet_connection.c:3645)
==23312== by 0x11A4C5: conn_message_sent (gnunet-service-cadet_connection.c:712)
==23312== by 0x136DB2: call_peer_cont (gnunet-service-cadet_peer.c:1091)
==23312== by 0x136E1D: mq_sent (gnunet-service-cadet_peer.c:1113)
==23312== by 0x508A626: impl_send_continue (mq.c:454)
==23312== by 0x509E075: run_ready (scheduler.c:620)
==23312== by 0x509EA79: GNUNET_SCHEDULER_run (scheduler.c:887)
==23312== by 0x50AE8B4: GNUNET_SERVICE_run (service.c:1497)
==23312== by 0x13D765: main (gnunet-service-cadet.c:173)
==23312== Address 0x2323232323232323 is not stack'd, malloc'd or (recently) free'd
==23312==
==23312==
==23312== 1 errors in context 2 of 9:
==23312== Invalid read of size 8
==23312== at 0x1257C1: GCC_2s (gnunet-service-cadet_connection.c:3614)
==23312== by 0x1258CF: GCC_debug (gnunet-service-cadet_connection.c:3645)
==23312== by 0x11A4C5: conn_message_sent (gnunet-service-cadet_connection.c:712)
==23312== by 0x136DB2: call_peer_cont (gnunet-service-cadet_peer.c:1091)
==23312== by 0x136E1D: mq_sent (gnunet-service-cadet_peer.c:1113)
==23312== by 0x508A626: impl_send_continue (mq.c:454)
==23312== by 0x509E075: run_ready (scheduler.c:620)
==23312== by 0x509EA79: GNUNET_SCHEDULER_run (scheduler.c:887)
==23312== by 0x50AE8B4: GNUNET_SERVICE_run (service.c:1497)
==23312== by 0x13D765: main (gnunet-service-cadet.c:173)
==23312== Address 0x83ff4b0 is 0 bytes inside a block of size 272 free'd
==23312== at 0x4C2AD4A: free (in /nix/store/5azp62mkgdkqbwc0ss3xqwz2ngnjxc0m-valgrind-3.11.0/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23312== by 0x505693D: GNUNET_xfree_ (common_allocation.c:321)
==23312== by 0x122A5E: GCC_destroy (gnunet-service-cadet_connection.c:2878)
==23312== by 0x11D45A: connection_timeout (gnunet-service-cadet_connection.c:1507)
==23312== by 0x11D529: connection_bck_timeout (gnunet-service-cadet_connection.c:1543)
==23312== by 0x509E075: run_ready (scheduler.c:620)
==23312== by 0x509EA79: GNUNET_SCHEDULER_run (scheduler.c:887)
==23312== by 0x50AE8B4: GNUNET_SERVICE_run (service.c:1497)
==23312== by 0x13D765: main (gnunet-service-cadet.c:173)
==23312== Block was alloc'd at
==23312== at 0x4C29C30: malloc (in /nix/store/5azp62mkgdkqbwc0ss3xqwz2ngnjxc0m-valgrind-3.11.0/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23312== by 0x50565CE: GNUNET_xmalloc_unchecked_ (common_allocation.c:219)
==23312== by 0x5055EEE: GNUNET_xmalloc_ (common_allocation.c:75)
==23312== by 0x1221F1: GCC_new (gnunet-service-cadet_connection.c:2769)
==23312== by 0x1173FA: GCT_use_path (gnunet-service-cadet_tunnel.c:2900)
==23312== by 0x137E46: GCP_connect (gnunet-service-cadet_peer.c:1410)
==23312== by 0x134F0C: core_connect_handler (gnunet-service-cadet_peer.c:364)
==23312== by 0x56F4A82: connect_peer (core_api_2.c:447)
==23312== by 0x56F50A9: handle_connect_notify (core_api_2.c:540)
==23312== by 0x50899F9: GNUNET_MQ_inject_message (mq.c:282)
==23312== by 0x508B337: handle_client_message (mq.c:760)
==23312== by 0x50538E2: receive_task (client.c:610)
==23312==
==23312==
==23312== 1 errors in context 3 of 9:
==23312== Invalid read of size 8
==23312== at 0x1257B5: GCC_2s (gnunet-service-cadet_connection.c:3609)
==23312== by 0x1258CF: GCC_debug (gnunet-service-cadet_connection.c:3645)
==23312== by 0x11A4C5: conn_message_sent (gnunet-service-cadet_connection.c:712)
==23312== by 0x136DB2: call_peer_cont (gnunet-service-cadet_peer.c:1091)
==23312== by 0x136E1D: mq_sent (gnunet-service-cadet_peer.c:1113)
==23312== by 0x508A626: impl_send_continue (mq.c:454)
==23312== by 0x509E075: run_ready (scheduler.c:620)
==23312== by 0x509EA79: GNUNET_SCHEDULER_run (scheduler.c:887)
==23312== by 0x50AE8B4: GNUNET_SERVICE_run (service.c:1497)
==23312== by 0x13D765: main (gnunet-service-cadet.c:173)
==23312== Address 0x83ff4b0 is 0 bytes inside a block of size 272 free'd
==23312== at 0x4C2AD4A: free (in /nix/store/5azp62mkgdkqbwc0ss3xqwz2ngnjxc0m-valgrind-3.11.0/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23312== by 0x505693D: GNUNET_xfree_ (common_allocation.c:321)
==23312== by 0x122A5E: GCC_destroy (gnunet-service-cadet_connection.c:2878)
==23312== by 0x11D45A: connection_timeout (gnunet-service-cadet_connection.c:1507)
==23312== by 0x11D529: connection_bck_timeout (gnunet-service-cadet_connection.c:1543)
==23312== by 0x509E075: run_ready (scheduler.c:620)
==23312== by 0x509EA79: GNUNET_SCHEDULER_run (scheduler.c:887)
==23312== by 0x50AE8B4: GNUNET_SERVICE_run (service.c:1497)
==23312== by 0x13D765: main (gnunet-service-cadet.c:173)
==23312== Block was alloc'd at
==23312== at 0x4C29C30: malloc (in /nix/store/5azp62mkgdkqbwc0ss3xqwz2ngnjxc0m-valgrind-3.11.0/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23312== by 0x50565CE: GNUNET_xmalloc_unchecked_ (common_allocation.c:219)
==23312== by 0x5055EEE: GNUNET_xmalloc_ (common_allocation.c:75)
==23312== by 0x1221F1: GCC_new (gnunet-service-cadet_connection.c:2769)
==23312== by 0x1173FA: GCT_use_path (gnunet-service-cadet_tunnel.c:2900)
==23312== by 0x137E46: GCP_connect (gnunet-service-cadet_peer.c:1410)
==23312== by 0x134F0C: core_connect_handler (gnunet-service-cadet_peer.c:364)
==23312== by 0x56F4A82: connect_peer (core_api_2.c:447)
==23312== by 0x56F50A9: handle_connect_notify (core_api_2.c:540)
==23312== by 0x50899F9: GNUNET_MQ_inject_message (mq.c:282)
==23312== by 0x508B337: handle_client_message (mq.c:760)
==23312== by 0x50538E2: receive_task (client.c:610)
==23312==
==23312==
==23312== 6 errors in context 4 of 9:
==23312== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==23312== at 0x75821ED: send (in /nix/store/gwl3ppqj4i730nhd4f50ncl5jc4n97ks-glibc-2.23/lib/libc-2.23.so)
==23312== by 0x508F5FA: GNUNET_NETWORK_socket_send (network.c:903)
==23312== by 0x5062940: transmit_ready (connection.c:1457)
==23312== by 0x509E075: run_ready (scheduler.c:620)
==23312== by 0x509EA79: GNUNET_SCHEDULER_run (scheduler.c:887)
==23312== by 0x50AE8B4: GNUNET_SERVICE_run (service.c:1497)
==23312== by 0x13D765: main (gnunet-service-cadet.c:173)
==23312== Address 0x80331dc is 60 bytes inside a block of size 160 alloc'd
==23312== at 0x4C2BB7D: realloc (in /nix/store/5azp62mkgdkqbwc0ss3xqwz2ngnjxc0m-valgrind-3.11.0/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23312== by 0x5056649: GNUNET_xrealloc_ (common_allocation.c:255)
==23312== by 0x50626BC: transmit_ready (connection.c:1443)
==23312== by 0x509E075: run_ready (scheduler.c:620)
==23312== by 0x509EA79: GNUNET_SCHEDULER_run (scheduler.c:887)
==23312== by 0x50AE8B4: GNUNET_SERVICE_run (service.c:1497)
==23312== by 0x13D765: main (gnunet-service-cadet.c:173)
==23312== Uninitialised value was created by a stack allocation
==23312== at 0x124680: GCC_send_create (gnunet-service-cadet_connection.c:3391)
==23312==
TagsNo tags attached.

Activities

Christian Grothoff

2017-02-21 18:27

manager   ~0011808

No longer relevant after CADET rewrite.

Issue History

Date Modified Username Field Change
2016-09-23 16:56 tg New Issue
2016-09-23 16:56 tg Status new => assigned
2016-09-23 16:56 tg Assigned To => Bart Polot
2016-09-24 22:36 Christian Grothoff Priority normal => urgent
2017-02-21 18:27 Christian Grothoff Assigned To Bart Polot => Christian Grothoff
2017-02-21 18:27 Christian Grothoff Status assigned => resolved
2017-02-21 18:27 Christian Grothoff Resolution open => fixed
2017-02-21 18:27 Christian Grothoff Fixed in Version => 0.11.0pre66
2017-02-21 18:27 Christian Grothoff Note Added: 0011808
2017-02-21 18:27 Christian Grothoff Target Version => 0.11.0pre66
2018-06-07 00:24 Christian Grothoff Status resolved => closed