[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Crash in sftp_readdir (git) - SOLVED
[Thread Prev] | [Thread Next]
- Subject: Re: Crash in sftp_readdir (git) - SOLVED
- From: Vic Lee <llyzs@xxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Sun, 11 Oct 2009 14:48:28 +0800
- To: libssh@xxxxxxxxxx
Hi, Oh, after checking all mallocs it turned out to be an easy fix. :) Please see the patch. Vic On Sun, 2009-10-11 at 14:09 +0800, Vic Lee wrote: > Hi, > > Actually samplessh also crash with the same behavior. Please see my > session: > > vic@vic-eeepc:~/git/libssh/build$ > vic@vic-eeepc:~/git/libssh/build$ ln -s ./samplessh ./sftp > vic@vic-eeepc:~/git/libssh/build$ ./sftp -l "Vic Lee" -r 192.168.0.1 > supported auth methods: publickey, keyboard-interactive > Additional SFTP extensions provided by the server: > posix-rename@xxxxxxxxxxx, version: 1 > statvfs@xxxxxxxxxxx, version: 2 > fstatvfs@xxxxxxxxxxx, version: 2 > *** glibc detected *** ./sftp: free(): invalid next size (fast): > 0x08594690 *** > ======= Backtrace: ========= > /lib/i686/cmov/libc.so.6[0xb7e678f4] > /lib/i686/cmov/libc.so.6(cfree+0x96)[0xb7e69896] > /home/vic/git/libssh/build/libssh/libssh.so.4[0xb8060456] > /home/vic/git/libssh/build/libssh/libssh.so.4(sftp_symlink > +0x2d9)[0xb80640e3] > ./sftp(do_sftp+0x1b5)[0x804ad43] > ./sftp(main+0x7cc)[0x804c18e] > /lib/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e0f7a5] > ./sftp[0x8049ff1] > ======= Memory map: ======== > 08048000-0804d000 r-xp 00000000 08:11 > 231033 /home/vic/git/libssh/build/samplessh > 0804d000-0804e000 rw-p 00005000 08:11 > 231033 /home/vic/git/libssh/build/samplessh > 0858e000-085af000 rw-p 00000000 00:00 0 [heap] > b7c00000-b7c21000 rw-p 00000000 00:00 0 > b7c21000-b7d00000 ---p 00000000 00:00 0 > b7d7d000-b7da7000 r-xp 00000000 08:01 54101 /lib/libgcc_s.so.1 > b7da7000-b7da8000 rw-p 00029000 08:01 54101 /lib/libgcc_s.so.1 > b7dba000-b7dc4000 r-xp 00000000 08:01 > 25124 /lib/i686/cmov/libnss_files-2.9.so > b7dc4000-b7dc5000 r--p 00009000 08:01 > 25124 /lib/i686/cmov/libnss_files-2.9.so > b7dc5000-b7dc6000 rw-p 0000a000 08:01 > 25124 /lib/i686/cmov/libnss_files-2.9.so > b7dc6000-b7dcf000 r-xp 00000000 08:01 > 25136 /lib/i686/cmov/libnss_nis-2.9.so > b7dcf000-b7dd0000 r--p 00008000 08:01 > 25136 /lib/i686/cmov/libnss_nis-2.9.so > b7dd0000-b7dd1000 rw-p 00009000 08:01 > 25136 /lib/i686/cmov/libnss_nis-2.9.so > b7dd1000-b7dd8000 r-xp 00000000 08:01 > 25116 /lib/i686/cmov/libnss_compat-2.9.so > b7dd8000-b7dd9000 r--p 00006000 08:01 > 25116 /lib/i686/cmov/libnss_compat-2.9.so > b7dd9000-b7dda000 rw-p 00007000 08:01 > 25116 /lib/i686/cmov/libnss_compat-2.9.so > b7dda000-b7ddb000 rw-p 00000000 00:00 0 > b7ddb000-b7dde000 r-xp 00000000 08:01 > 181030 /usr/lib/libgpg-error.so.0.4.0 > b7dde000-b7ddf000 rw-p 00002000 08:01 > 181030 /usr/lib/libgpg-error.so.0.4.0 > b7ddf000-b7df4000 r-xp 00000000 08:01 > 25140 /lib/i686/cmov/libpthread-2.9.so > b7df4000-b7df5000 r--p 00014000 08:01 > 25140 /lib/i686/cmov/libpthread-2.9.so > b7df5000-b7df6000 rw-p 00015000 08:01 > 25140 /lib/i686/cmov/libpthread-2.9.so > b7df6000-b7df9000 rw-p 00000000 00:00 0 > b7df9000-b7f51000 r-xp 00000000 08:01 > 25104 /lib/i686/cmov/libc-2.9.so > b7f51000-b7f52000 ---p 00158000 08:01 > 25104 /lib/i686/cmov/libc-2.9.so > b7f52000-b7f54000 r--p 00158000 08:01 > 25104 /lib/i686/cmov/libc-2.9.so > b7f54000-b7f55000 rw-p 0015a000 08:01 > 25104 /lib/i686/cmov/libc-2.9.so > b7f55000-b7f58000 rw-p 00000000 00:00 0 > b7f58000-b7fca000 r-xp 00000000 08:01 > 185475 /usr/lib/libgcrypt.so.11.5.2 > b7fca000-b7fcd000 rw-p 00072000 08:01 > 185475 /usr/lib/libgcrypt.so.11.5.2 > b7fcd000-b7fe1000 r-xp 00000000 08:01 > 181408 /usr/lib/libz.so.1.2.3.3 > b7fe1000-b7fe2000 rw-p 00013000 08:01 > 181408 /usr/lib/libz.so.1.2.3.3 > b7fe2000-b7fe9000 r-xp 00000000 08:01 > 25134 /lib/i686/cmov/librt-2.9.so > b7fe9000-b7fea000 r--p 00006000 08:01 > 25134 /lib/i686/cmov/librt-2.9.so > b7fea000-b7feb000 rw-p 00007000 08:01 > 25134 /lib/i686/cmov/librt-2.9.so > b7feb000-b7ffd000 r-xp 00000000 08:01 > 24592 /lib/i686/cmov/libresolv-2.9.so > b7ffd000-b7ffe000 r--p 00011000 08:01 > 24592 /lib/i686/cmov/libresolv-2.9.so > b7ffe000-b7fff000 rw-p 00012000 08:01 > 24592 /lib/i686/cmov/libresolv-2.9.so > b7fff000-b8002000 rw-p 00000000 00:00 0 > b8002000-b8017000 r-xp 00000000 08:01 > 25128 /lib/i686/cmov/libnsl-2.9.so > b8017000-b8018000 r--p 00014000 08:01 > 25128 /lib/i686/cmov/libnsl-2.9.so > b8018000-b8019000 rw-p 00015000 08:01 > 25128 /lib/i686/cmov/libnsl-2.9.so > b8019000-b801b000 rw-p 00000000 00:00 0 > b8028000-b8029000 rw-p 00000000 00:00 0 > b8029000-b802d000 rw-p 00000000 00:00 0 > b802d000-b806d000 r-xp 00000000 08:11 > 231080 /home/vic/git/libssh/build/libssh/libssh.so.4.0.0 > b806d000-b806e000 rw-p 00040000 08:11 > 231080 /home/vic/git/libssh/build/libssh/libssh.so.4.0.0 > b806e000-b8073000 rw-p 00000000 00:00 0 > b8073000-b8074000 r-xp 00000000 00:00 0 [vdso] > b8074000-b8090000 r-xp 00000000 08:01 18892 /lib/ld-2.9.so > b8090000-b8091000 r--p 0001b000 08:01 18892 /lib/ld-2.9.so > b8091000-b8092000 rw-p 0001c000 08:01 18892 /lib/ld-2.9.so > bfb05000-bfb1a000 rw-p 00000000 00:00 0 [stack] > Aborted > vic@vic-eeepc:~/git/libssh/build$ > > Thanks, > Vic > > On Sun, 2009-10-11 at 08:03 +0800, Vic Lee wrote: > > Hi, > > > > I encountered permanent crash when calling sftp_readdir with the latest > > git version. I am not quite sure how to fix it this time. This is what I > > got in gdb, please help: > > > > #0 0xb8080424 in __kernel_vsyscall () > > (gdb) up > > #1 0xb75a23d0 in *__GI_raise (sig=6) > > at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 > > 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. > > in ../nptl/sysdeps/unix/sysv/linux/raise.c > > (gdb) > > #2 0xb75a5a85 in *__GI_abort () at abort.c:88 > > 88 abort.c: No such file or directory. > > in abort.c > > (gdb) > > #3 0xb75db2ed in __libc_message (do_abort=2, > > fmt=0xb76b8328 "*** glibc detected *** %s: %s: 0x%s ***\n") > > at ../sysdeps/unix/sysv/linux/libc_fatal.c:173 > > 173 ../sysdeps/unix/sysv/linux/libc_fatal.c: No such file or directory. > > in ../sysdeps/unix/sysv/linux/libc_fatal.c > > (gdb) > > #4 0xb75e58f4 in malloc_printerr (action=2, > > str=0xb76b8374 "free(): invalid next size (fast)", ptr=0x853c9c8) > > at malloc.c:5994 > > 5994 malloc.c: No such file or directory. > > in malloc.c > > (gdb) > > #5 0xb75e7896 in *__GI___libc_free (mem=0x853c9c8) at malloc.c:3625 > > 3625 in malloc.c > > (gdb) > > #6 0xb773f456 in status_msg_free (status=0x853c9c8) > > at /home/vic/git/libssh/libssh/sftp.c:774 > > 774 SAFE_FREE(status); > > (gdb) > > #7 0xb7740738 in sftp_readdir (sftp=0x8520b28, dir=0x8527990) > > at /home/vic/git/libssh/libssh/sftp.c:1323 > > 1323 status_msg_free(status); > > (gdb) > > #8 0x08075388 in remmina_sftp_window_on_opendir (window=0x8548820, > > dir=0x807b1b6 ".", data=0x0) at remminasftpwindow.c:598 > > 598 while ((sftpattr = sftp_readdir (window->sftp->sftp_sess, > > sftpdir))) > > (gdb) > > > > Vic > > > > > > > > >
From c10f834b94f32ed10aa7eb86ce0f31b3c79208fc Mon Sep 17 00:00:00 2001
From: Vic Lee <llyzs@xxxxxxx>
Date: Sun, 11 Oct 2009 14:44:40 +0800
Subject: [PATCH] Fix a memory corruption in parse_status_msg
Signed-off-by: Vic Lee <llyzs@xxxxxxx>
---
libssh/sftp.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libssh/sftp.c b/libssh/sftp.c
index cdeb9e2..46bcce3 100644
--- a/libssh/sftp.c
+++ b/libssh/sftp.c
@@ -733,7 +733,7 @@ static sftp_status_message parse_status_msg(sftp_message msg){
return NULL;
}
- status = malloc(sizeof(struct sftp_message_struct));
+ status = malloc(sizeof(struct sftp_status_message_struct));
if (status == NULL) {
return NULL;
}
--
1.6.3.3
| Re: Crash in sftp_readdir (git) - SOLVED | Andreas Schneider <mail@xxxxxxxxxxxx> |
| Re: Crash in sftp_readdir (git) - SOLVED | Aris Adamantiadis <aris@xxxxxxxxxxxx> |
| Crash in sftp_readdir (git) | Vic Lee <llyzs@xxxxxxx> |
| Re: Crash in sftp_readdir (git) | Vic Lee <llyzs@xxxxxxx> |