[Pidgin] #14430: IBB receiver reads struct after free (at completion of transfer)

Pidgin trac at pidgin.im
Sun Jul 17 01:49:14 EDT 2011 

#14430: IBB receiver reads struct after free (at completion of transfer)
------------------------+---------------------------------------------------
 Reporter:  darkrain42  |        Owner:  malu
     Type:  defect      |       Status:  new 
Milestone:              |    Component:  XMPP
  Version:  2.9.0       |   Resolution:      
 Keywords:              |  
------------------------+---------------------------------------------------

Old description:

> While trying to reproduce another file transfer situation, I ran across
> this in valgrind.
>

>
> {{{
> (22:40:44) jabber: Recv (ssl)(1397): <iq id='purple267a717a' type='set'
> to='me' from='my friend'><data xmlns='http://jabber.org/protocol/ibb'
> seq='1'
> sid='purple267a7176'>FTFfsOWgeAtyoZlOJ5pKHnKMsmU0lVYg8Kfq31U6qgKFhJQKwcEp6NoiadtBwBCtT2KcZSAUSaQTyKnJ8pRfLzCegkcsbdWFwZOULS1LSoaT47TJlOCJ7WyWqq9nlrcshoKCUIJzHM+Zsazd/e1pfWrgRmJ+4ZkCtoOYu7mW5nWTTo58GiBcihAfaNL2J2Bu0fMRasNjarY2EQMhw4gTRuq0tQSJhZTWijOnurlCdRrJhxwl+CIxq3ZqQsoWKSUneSQ4SSnbAz4BJTc9/ojkVORYG38DBMWSzG0oKbJEKYiE7Nd4wat12gFbc6wjwreheQFUypSEF1QcH8S0cQQw6PiDgHIlEK7hsK62iyUNQrqJlOCUESMe5AosdvxWcpSqMVtotrYFQuLkNhyU85wYVnRlhE27OsSptGczgXGVezTTziplMpqiZBJ57t1zkqUSG2qZlAxTsG41MwV2SU4xtA0lDLaRBolTddnxYpJSoEEWZJBsQd2ArRWC4YYVuSVhK0k6Gtmhqr8dJWNWh2EH1ZCrESA56sSLV8ElwKapGWyBtWdiZdsm8xtQMmy0BuOI4/hbVkxYFbakZawkDJj9Hc3Ls5fVCYQu7NkF5SwdjUG1JKbbAwWIUkt0AMTQL+zxTFmXr8xB7Mw5+odSbfCkr6Z3npijOSmLToiA9XKJDM4+CRdmThskL41Q1y59gvaMWJ2JGRKeyQszieDOdMdHlCSIfJ0qDNl3Z2a1VPXcg88vWitB+Jl2ULGNPhlvZFlTzQ1bKsDqRe1Qqc7LIZyY+Rkhgz1CRoaDasQZnoIUJfTl4Rsr8ZflF0uZ12vGNFd9QcXvJnCo0MQxPr4XhRi11mKR2GTqFtm3QrB6zj6a23VWUeuMIYRPbMW0KXCNRVGai7YmxyVokJT+FTF/6RcDfxe0/pEU5eznLIUKDrx1aIZmxIOkLOIxu0J+rQzCJdIjsu5AdlQb5BscLkYxQIXaJbkEiEE5vefVkETPXBjkyTT9CdvS9RMgZY1h9w3MxImz/U7A5Lx7JmPROFaMVNEoLuXxxyKeYicQqpgpMDSFd/yg2+CiX2Mh08rGJmMh1qGdPU0utHxUIkLJaMbvBwcYZPoZQG5DJKxyQdInw6m3Oh1vFK2bRGAv0NqheblBhDypUYfEpr1TMSd2KJX024kzh4AqGauEhayQlI+n0ONLTeP/4u5IpwoSD7LyxQA=</data></iq>
> (22:40:44) jabber: got 908 bytes of data on IBB stream
> (22:40:44) jabber: calling IBB callback for received data
> (22:40:44) jabber: about to write 908 bytes from IBB stream
> (22:40:44) xfer: Prpl (and UI) ready on ft 0x219548f0, so proceeding
> (22:40:44) jabber: jabber_si_xfer_free: destroying IBB session
> (22:40:44) jabber: IBB: destroying session 0x29e031a0 purple267a7176
> (22:40:44) jabber: Sending (ssl) (me): <iq type='set' id='purpleafaa4128'
> to='my friend'><close xmlns='http://jabber.org/protocol/ibb'
> sid='purple267a7176'/></iq>
> (22:40:44) jabber: jabber_si_xfer_free(): freeing jsx 0x21934360
> ==25203== Invalid read of size 2
> ==25203==    at 0x1DB12695: jabber_ibb_parse (ibb.c:455)
> ==25203==    by 0x1DB1C00A: jabber_process_packet (jabber.c:345)
> ==25203==    by 0x1DB28FA6: jabber_parser_element_end_libxml
> (parser.c:169)
> ==25203==    by 0x6345A92: ??? (in /usr/lib/libxml2.so.2.7.8)
> ==25203==    by 0x634C92F: ??? (in /usr/lib/libxml2.so.2.7.8)
> ==25203==    by 0x634E0A7: xmlParseChunk (in /usr/lib/libxml2.so.2.7.8)
> ==25203==    by 0x1DB2901C: jabber_parser_process (parser.c:279)
> ==25203==    by 0x1DB17E91: jabber_recv_cb_ssl (jabber.c:659)
> ==25203==    by 0x46E87D: pidgin_io_invoke (gtkeventloop.c:73)
> ==25203==    by 0x90044A2: g_main_context_dispatch (gmain.c:2440)
> ==25203==    by 0x9004C7F: g_main_context_iterate.clone.6 (gmain.c:3091)
> ==25203==    by 0x90052F1: g_main_loop_run (gmain.c:3299)
> ==25203==    by 0x679AA76: gtk_main (gtkmain.c:1256)
> ==25203==    by 0x435858: main (gtkmain.c:934)
> ==25203==  Address 0x29e031c2 is 34 bytes inside a block of size 112
> free'd
> ==25203==    at 0x4C268FE: free (in /usr/lib/valgrind/vgpreload_memcheck-
> amd64-linux.so)
> ==25203==    by 0x1DB2D7C6: jabber_si_xfer_free (si.c:1357)
> ==25203==    by 0x9319E11: purple_xfer_end (ft.c:1453)
> ==25203==    by 0x931A81A: do_transfer (ft.c:1262)
> ==25203==    by 0x1DB1268C: jabber_ibb_parse (ibb.c:442)
> ==25203==    by 0x1DB1C00A: jabber_process_packet (jabber.c:345)
> ==25203==    by 0x1DB28FA6: jabber_parser_element_end_libxml
> (parser.c:169)
> ==25203==    by 0x6345A92: ??? (in /usr/lib/libxml2.so.2.7.8)
> ==25203==    by 0x634C92F: ??? (in /usr/lib/libxml2.so.2.7.8)
> ==25203==    by 0x634E0A7: xmlParseChunk (in /usr/lib/libxml2.so.2.7.8)
> ==25203==    by 0x1DB2901C: jabber_parser_process (parser.c:279)
> ==25203==    by 0x1DB17E91: jabber_recv_cb_ssl (jabber.c:659)
> ==25203==    by 0x46E87D: pidgin_io_invoke (gtkeventloop.c:73)
> ==25203==    by 0x90044A2: g_main_context_dispatch (gmain.c:2440)
> ==25203==    by 0x9004C7F: g_main_context_iterate.clone.6 (gmain.c:3091)
> ==25203==    by 0x90052F1: g_main_loop_run (gmain.c:3299)
> ==25203==    by 0x679AA76: gtk_main (gtkmain.c:1256)
> ==25203==    by 0x435858: main (gtkmain.c:934)
> ==25203==
> }}}

New description:

 While trying to reproduce another file transfer situation, I ran across
 this in valgrind.



 {{{
 (22:40:44) jabber: Recv (ssl)(1397): <iq id='purple267a717a' type='set'
 to='me' from='my friend'>
 <data xmlns='http://jabber.org/protocol/ibb' seq='1' sid='purple267a7176'>
 FTFfsOWgeAtyoZlOJ5pKHnKMsmU0lVYg8Kfq31U6qgKFhJQ
 KwcEp6NoiadtBwBCtT2KcZSAUSaQTyKnJ8pRfLzCegkcsbdWFwZOULS1LSoaT47TJlOC
 J7WyWqq9nlrcshoKCUIJzHM+Zsazd/e1pfWrgRmJ+4ZkCtoOYu7mW5nWTTo58GiBcihA
 faNL2J2Bu0fMRasNjarY2EQMhw4gTRuq0tQSJhZTWijOnurlCdRrJhxwl+CIxq3ZqQso
 WKSUneSQ4SSnbAz4BJTc9/ojkVORYG38DBMWSzG0oKbJEKYiE7Nd4wat12gFbc6wjwre
 heQFUypSEF1QcH8S0cQQw6PiDgHIlEK7hsK62iyUNQrqJlOCUESMe5AosdvxWcpSqMVt
 otrYFQuLkNhyU85wYVnRlhE27OsSptGczgXGVezTTziplMpqiZBJ57t1zkqUSG2qZlAx
 TsG41MwV2SU4xtA0lDLaRBolTddnxYpJSoEEWZJBsQd2ArRWC4YYVuSVhK0k6Gtmhqr8
 dJWNWh2EH1ZCrESA56sSLV8ElwKapGWyBtWdiZdsm8xtQMmy0BuOI4/hbVkxYFbakZaw
 kDJj9Hc3Ls5fVCYQu7NkF5SwdjUG1JKbbAwWIUkt0AMTQL+zxTFmXr8xB7Mw5+odSbfC
 kr6Z3npijOSmLToiA9XKJDM4+CRdmThskL41Q1y59gvaMWJ2JGRKeyQszieDOdMdHlCS
 IfJ0qDNl3Z2a1VPXcg88vWitB+Jl2ULGNPhlvZFlTzQ1bKsDqRe1Qqc7LIZyY+Rkhgz1
 CRoaDasQZnoIUJfTl4Rsr8ZflF0uZ12vGNFd9QcXvJnCo0MQxPr4XhRi11mKR2GTqFtm
 3QrB6zj6a23VWUeuMIYRPbMW0KXCNRVGai7YmxyVokJT+FTF/6RcDfxe0/pEU5eznLIU
 KDrx1aIZmxIOkLOIxu0J+rQzCJdIjsu5AdlQb5BscLkYxQIXaJbkEiEE5vefVkETPXBj
 kyTT9CdvS9RMgZY1h9w3MxImz/U7A5Lx7JmPROFaMVNEoLuXxxyKeYicQqpgpMDSFd/y
 g2+CiX2Mh08rGJmMh1qGdPU0utHxUIkLJaMbvBwcYZPoZQG5DJKxyQdInw6m3Oh1vFK2
 bRGAv0NqheblBhDypUYfEpr1TMSd2KJX024kzh4AqGauEhayQlI+n0ONLTeP/4u5Ipwo
 SD7LyxQA=</data></iq>
 (22:40:44) jabber: got 908 bytes of data on IBB stream
 (22:40:44) jabber: calling IBB callback for received data
 (22:40:44) jabber: about to write 908 bytes from IBB stream
 (22:40:44) xfer: Prpl (and UI) ready on ft 0x219548f0, so proceeding
 (22:40:44) jabber: jabber_si_xfer_free: destroying IBB session
 (22:40:44) jabber: IBB: destroying session 0x29e031a0 purple267a7176
 (22:40:44) jabber: Sending (ssl) (me): <iq type='set' id='purpleafaa4128'
 to='my friend'><close xmlns='http://jabber.org/protocol/ibb'
 sid='purple267a7176'/></iq>
 (22:40:44) jabber: jabber_si_xfer_free(): freeing jsx 0x21934360
 ==25203== Invalid read of size 2
 ==25203==    at 0x1DB12695: jabber_ibb_parse (ibb.c:455)
 ==25203==    by 0x1DB1C00A: jabber_process_packet (jabber.c:345)
 ==25203==    by 0x1DB28FA6: jabber_parser_element_end_libxml
 (parser.c:169)
 ==25203==    by 0x6345A92: ??? (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x634C92F: ??? (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x634E0A7: xmlParseChunk (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x1DB2901C: jabber_parser_process (parser.c:279)
 ==25203==    by 0x1DB17E91: jabber_recv_cb_ssl (jabber.c:659)
 ==25203==    by 0x46E87D: pidgin_io_invoke (gtkeventloop.c:73)
 ==25203==    by 0x90044A2: g_main_context_dispatch (gmain.c:2440)
 ==25203==    by 0x9004C7F: g_main_context_iterate.clone.6 (gmain.c:3091)
 ==25203==    by 0x90052F1: g_main_loop_run (gmain.c:3299)
 ==25203==    by 0x679AA76: gtk_main (gtkmain.c:1256)
 ==25203==    by 0x435858: main (gtkmain.c:934)
 ==25203==  Address 0x29e031c2 is 34 bytes inside a block of size 112
 free'd
 ==25203==    at 0x4C268FE: free (in /usr/lib/valgrind/vgpreload_memcheck-
 amd64-linux.so)
 ==25203==    by 0x1DB2D7C6: jabber_si_xfer_free (si.c:1357)
 ==25203==    by 0x9319E11: purple_xfer_end (ft.c:1453)
 ==25203==    by 0x931A81A: do_transfer (ft.c:1262)
 ==25203==    by 0x1DB1268C: jabber_ibb_parse (ibb.c:442)
 ==25203==    by 0x1DB1C00A: jabber_process_packet (jabber.c:345)
 ==25203==    by 0x1DB28FA6: jabber_parser_element_end_libxml
 (parser.c:169)
 ==25203==    by 0x6345A92: ??? (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x634C92F: ??? (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x634E0A7: xmlParseChunk (in /usr/lib/libxml2.so.2.7.8)
 ==25203==    by 0x1DB2901C: jabber_parser_process (parser.c:279)
 ==25203==    by 0x1DB17E91: jabber_recv_cb_ssl (jabber.c:659)
 ==25203==    by 0x46E87D: pidgin_io_invoke (gtkeventloop.c:73)
 ==25203==    by 0x90044A2: g_main_context_dispatch (gmain.c:2440)
 ==25203==    by 0x9004C7F: g_main_context_iterate.clone.6 (gmain.c:3091)
 ==25203==    by 0x90052F1: g_main_loop_run (gmain.c:3299)
 ==25203==    by 0x679AA76: gtk_main (gtkmain.c:1256)
 ==25203==    by 0x435858: main (gtkmain.c:934)
 ==25203==
 }}}

--

Comment(by darkrain42):

 Just line-wrapping it (the unlinewrapped version is what was received; and
 this isn't relevant to the use-after-free)

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14430#comment:1>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list