[Pidgin] #13283: MSN crash when ACK and NAK are received with same ID

Pidgin trac at pidgin.im
Sat Jan 29 01:57:34 EST 2011 

#13283: MSN crash when ACK and NAK are received with same ID
--------------------------+-------------------------------------------------
 Reporter:  hanzz         |     Owner:  rekkanoryo
     Type:  defect        |    Status:  new       
Component:  unclassified  |   Version:  2.7.9     
 Keywords:                |  
--------------------------+-------------------------------------------------
 Hi,

 MSN sends ACK followed by NAK with the same ID. The first ACK leads to
 "msg" deletion, so next NAK with the same id crashes, because of already
 freed "msg" object.

 LOG:

 {{{
 [01/28/11 22:56:56] <libpurple/msn> message ref (0x3bc5800)[1]
 [01/28/11 22:56:56] <libpurple/msn> prepare to send online Message
 [01/28/11 22:56:56] <libpurple/msn> send via switchboard
 [01/28/11 22:56:56] <libpurple/msn> switchboard send msg..
 [01/28/11 22:56:56] <libpurple/msn> SB length:{145}
 [01/28/11 22:56:56] <libpurple/msn> Message SB SEND:
 {MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 User-Agent: pidgin/2.7.9
 X-MMS-IM-Format: FN=Segoe%20UI; EF=; CO=0; PF=0; RL=0

 ??
 }
 [01/28/11 22:56:56] <libpurple/msn> message ref (0x3bc5800)[2]
 [01/28/11 22:56:56] <libpurple/msn> C: SB 027: MSG 2 A 145
 [01/28/11 22:56:56] <libpurple/msn> message unref (0x3bc5800)[1]
 [01/28/11 22:56:56] <libpurple/msn> S: NS 000: NOT 609
 [01/28/11 22:56:56] <libpurple/msn> S: SB 027: ACK 2
 [01/28/11 22:56:56] <libpurple/msn> message unref (0x3bc5800)[0]
 [01/28/11 22:56:56] <libpurple/msn> message destroy (0x3bc5800)
 [01/28/11 22:56:56] <libpurple/msn> S: SB 009: MSG
 harminder_dhillon11323 at hotmail.com Harminder 104
 [01/28/11 22:56:56] <libpurple/msn> message new (0x45a95b0)(0)
 [01/28/11 22:56:56] <libpurple/msn> message ref (0x45a95b0)[1]
 [01/28/11 22:56:56] <libpurple/msn> Message SB RECV:
 {MIME-Version: 1.0
 Content-Type: text/x-msmsgscontrol
 TypingUser: harminder_dhillon11323 at hotmail.com



 }
 [01/28/11 22:56:56] <359403022561370 at jabber.something.tld>
 harminder_dhillon11323 at hotmail.com is typing
 [01/28/11 22:56:56] <XML OUT> <message
 to='359403022561370 at jabber.something.tld' type='chat'
 from='harminder_dhillon11\40hotmail.com at msn.something.tld/bot'><composing
 xmlns='http://jabber.org/protocol/chatstates'/></message>
 [01/28/11 22:56:56] <libpurple/msn> message unref (0x45a95b0)[0]
 [01/28/11 22:56:56] <libpurple/msn> message destroy (0x45a95b0)
 [01/28/11 22:56:56] <XML IN> <presence
 from='makedir at something.tld/Miranda4495BBFF'
 to='msn.something.tld'><priority>0</priority><c node='http://miranda-
 im.org/caps' ver='0.9.0.17' ext='secureim mood activity mir_notes'
 xmlns='http://jabber.org/protocol/caps'/><x xmlns='vcard-
 temp:x:update'><photo>55dfff3dc6c9032c6374c2dcff26d9c055fe08a0</photo></x></presence>
 [01/28/11 22:56:56] <makedir at something.tld/Miranda4495BBFF> Presence
 received (0) for: msn.something.tldisMUC0
 [01/28/11 22:56:56] <makedir at something.tld/Miranda4495BBFF> asking for
 caps/disco#info
 [01/28/11 22:56:56] <XML OUT> <iq
 to='makedir at something.tld/Miranda4495BBFF' id='uid:4d42924c:2427c97b'
 type='get' from='msn.something.tld' xmlns='jabber:component:accept'><query
 xmlns='http://jabber.org/protocol/disco#info'/></iq>
 [01/28/11 22:56:56] <XML OUT> <iq to='makedir at something.tld'
 id='uid:4d42924c:21ee19a0' type='get' from='msn.something.tld'
 xmlns='jabber:component:accept'><vCard xmlns='vcard-temp'
 version='3.0'/></iq>
 [01/28/11 22:56:56] <makedir at something.tld> RESOURCEMiranda4495BBFF
 Miranda4495BBFF
 [01/28/11 22:56:56] <makedir at something.tld> mirroring presence to legacy
 network
 [01/28/11 22:56:56] <XML OUT> <presence to='makedir at something.tld'
 from='msn.something.tld'><priority>0</priority></presence>
 [01/28/11 22:56:56] <XML IN> <presence
 from='makedir at something.tld/Miranda4495BBFF'
 to='joseph345\40hotmail.co.jp at msn.something.tld'><priority>0</priority><c
 node='http://miranda-im.org/caps' ver='0.9.0.17' ext='secureim mood
 activity mir_notes' xmlns='http://jabber.org/protocol/caps'/><x xmlns
 ='vcard-
 temp:x:update'><photo>55dfff3dc6c9032c6374c2dcff26d9c055fe08a0</photo></x></presence>
 [01/28/11 22:56:56] <makedir at something.tld/Miranda4495BBFF> Presence
 received (0) for: joseph345\40hotmail.co.jp at msn.something.tldisMUC0
 [01/28/11 22:56:56] <XML IN> <presence
 from='makedir at something.tld/Miranda4495BBFF'
 to='benvovovo\40hotmail.de at msn.something.tld'><priority>0</priority><c
 node='http://miranda-im.org/caps' ver='0.9.0.17' ext='secureim mood
 activity mir_notes' xmlns='http://jabber.org/protocol/caps'/><x xmlns
 ='vcard-
 temp:x:update'><photo>55dfff3dc6c9032c6374c2dcff26d9c055fe08a0</photo></x></presence>
 [01/28/11 22:56:56] <makedir at something.tld/Miranda4495BBFF> Presence
 received (0) for: benvovovo\40hotmail.de at msn.something.tldisMUC0
 [01/28/11 22:56:56] <XML IN> <presence
 from='makedir at something.tld/Miranda4495BBFF'
 to='aznboi107\40hotmail.com at msn.something.tld'><priority>0</priority><c
 node='http://miranda-im.org/caps' ver='0.9.0.17' ext='secureim mood
 activity mir_notes' xmlns='http://jabber.org/protocol/caps'/><x xmlns
 ='vcard-
 temp:x:update'><photo>55dfff3dc6c9032c6374c2dcff26d9c055fe08a0</photo></x></presence>
 [01/28/11 22:56:56] <makedir at something.tld/Miranda4495BBFF> Presence
 received (0) for: aznboi107\40hotmail.com at msn.something.tldisMUC0
 [01/28/11 22:56:56] <libpurple/msn> S: SB 027: NAK 2

 }}}


 BACKTRACE:

 {{{
 (gdb) #0  0x00007f1a1b413128 in msg_error_helper (cmdproc=0x37abdf0,
 msg=0x3bc5800,
     error=MSN_MSG_ERROR_NAK)
     at
 /home/mati/repositories/all/pidgin-2.7.9/./libpurple/protocols/msn/switchboard.c:445
         swboard = <value optimized out>
         __PRETTY_FUNCTION__ = "msg_error_helper"
 #1  0x00007f1a1b3efb6b in msn_cmdproc_process_cmd (cmdproc=0x37abdf0,
     cmd=0x3fc6840)
     at
 /home/mati/repositories/all/pidgin-2.7.9/./libpurple/protocols/msn/cmdproc.c:317
         cb = 0xfefefefefefefefe
         trans = 0x1731fc0
 #2  0x00007f1a1b40afd7 in msn_servconn_process_data (servconn=0x42a10c0)
     at
 /home/mati/repositories/all/pidgin-2.7.9/./libpurple/protocols/msn/servconn.c:494
         end = 0x32cd4f7 ""
         old_rx_buf = 0x32cd4f0 "NAK 2"
         cur_len = 2
 #3  0x00007f1a1b40b0e7 in read_cb (data=0x42a10c0,
     source=<value optimized out>, cond=<value optimized out>)
     at
 /home/mati/repositories/all/pidgin-2.7.9/./libpurple/protocols/msn/servconn.c:445
         servconn = <value optimized out>
         buf = "NAK
 2\r\n\000\251I\371)\032\177\000\000\340\024O\004\000\000\000\000\026\070\371)\032\177\000\000\020x\a\245\377\177\000\000\377\377\377\377\000\000\000\000.x\a\245\377\177\000\000i\001\000\000\000\000\000\000i\001\000\000\000\000\000\000vI\371)\032\177\000\000\300x\a\245\377\177\000\000vI\371)\032\177\000\000
 \031\237\003\000\000\000\000\066\000\000\000\000\000\000\000\300x\a\245\377\177\000\000vI\371)\032\177\000\000\300x\a\245\377\177\000\000\266\210\371)\032\177\000\000\037x\a\245\377\177\000\000\340\335\353\001\000\000\000\000\360\335\353\001\000\000\000\000Є\234\003\000\000\000\000\340\204\234\003\000\000\000\000vI\371)\032\177\000\000\260\275\r\001\000\000\000\000\240\275\r\001\000\000\000\000\260\275\r\001\000\000\000\000vI\371)\032\177\000\000\260\275\r\001\000\000\000\000\350\257\361",
 '\000' <repeats 13 times>"\266,
 \210\371)\032\177\000\000`\313u\000\000\000\000\000"...
         len = <value optimized out>
 #4  0x0000000000477af2 in io_invoke (source=<value optimized out>,
     condition=<value optimized out>, data=<value optimized out>)
     at /home/mati/repositories/all/spectrum-dev/src/geventloop.cpp:61
         closure = 0x23e6200
         purple_cond = PURPLE_INPUT_READ
         tmp = <value optimized out>
 #5  0x00007f1a2bd7d8c2 in g_main_context_dispatch ()
    from /lib/libglib-2.0.so.0
 No symbol table info available.
 #6  0x00007f1a2bd81748 in ?? () from /lib/libglib-2.0.so.0
 No symbol table info available.
 #7  0x00007f1a2bd81c55 in g_main_loop_run () from /lib/libglib-2.0.so.0
 No symbol table info available.
 #8  0x00000000004893a9 in GlooxMessageHandler (this=0xf21b10,
     config=<value optimized out>)
     at /home/mati/repositories/all/spectrum-dev/src/main.cpp:1103
         loaded = <value optimized out>
 #9  0x000000000048983a in main (argc=2, argv=0x7fffa5079b38)
     at /home/mati/repositories/all/spectrum-dev/src/main.cpp:2151
         sa = warning: can't find linker symbol for virtual table for
 `sigaction' value
 warning:   found `GlooxMessageHandler::loadConfigFile(std::string const&)'
 instead
 {__sigaction_handler = {
             sa_handler = 0x4829b0 <spectrum_sighup_handler>,
             sa_sigaction = 0x4829b0 <spectrum_sighup_handler>}, sa_mask =
 {
             __val = {0 <repeats 16 times>}}, sa_flags = 0, sa_restorer =
 0}
         config = {static npos = 18446744073709551615,
           _M_dataplus = {<std::allocator<char>> =
 {<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data fields>},
             _M_p = 0xf21ff8 "/etc/spectrum/msn:5402.cfg"}}
         error = 0x0
         context = 0xf17780
 (gdb)
 }}}

 I don't know prpl-msn well enough to fix it properly, so I hope you'll be
 able.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/13283>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list