Ticket #139 (closed defect: fixed)

Opened 13 months ago

Last modified 13 months ago

c2s gsasl mio crash

Reported by: tofu Owned by: smoku
Priority: major Component: c2s
Version: 2.1.14 Keywords:
Cc: Tracforge_linkmap:
Blocking: Blocked By:

Description

Another c2s crash. 

Core was generated by `/home/chesspark/production/bin/c2s -c /home/chesspark/production/etc/jabberd/c2'.
Program terminated with signal 11, Segmentation fault.
#0  gsasl_step (sctx=0x0, 
    input=0x844c048 "username=\"rajat_thegamer\",realm=\"chesspark.com\",nonce=\"U5hbvJ8ENHRkfCnCewlrJA==\",cnonce=\"d41d8cd98f00b204e9800998ecf8427e\",nc=\"00000001\",qop=\"auth\",digest-uri=\"xmpp/chesspark.com\",response=\"6aa651acf9"..., input_len=239, output=0xffac5344, output_len=0xffac5338) at xstep.c:57
57        if (sctx->clientp)
(gdb) backtrace
#0  gsasl_step (sctx=0x0, 
    input=0x844c048 "username=\"rajat_thegamer\",realm=\"chesspark.com\",nonce=\"U5hbvJ8ENHRkfCnCewlrJA==\",cnonce=\"d41d8cd98f00b204e9800998ecf8427e\",nc=\"00000001\",qop=\"auth\",digest-uri=\"xmpp/chesspark.com\",response=\"6aa651acf9"..., input_len=239, output=0xffac5344, output_len=0xffac5338) at xstep.c:57
#1  0x0805a5da in _sx_sasl_client_process (s=0x810fd08, p=0x80889e0, sd=0x0, mech=0x0, 
    in=0x82b44b0 "dXNlcm5hbWU9InJhamF0X3RoZWdhbWVyIixyZWFsbT0iY2hlc3NwYXJrLmNvbSIsbm9uY2U9IlU1aGJ2SjhFTkhSa2ZDbkNld2xySkE9PSIsY25vbmNlPSJkNDFkOGNkOThmMDBiMjA0ZTk4MDA5OThlY2Y4NDI3ZSIsbmM9IjAwMDAwMDAxIixxb3A9ImF1dGgiLGRp"..., inlen=320) at sasl_gsasl.c:353
#2  0x0805b028 in _sx_sasl_process (s=0x810fd08, p=0x80889e0, nad=0x83b7468) at sasl_gsasl.c:504
#3  0x08055e9f in _sx_process_read (s=0x810fd08, buf=0x83175f8) at io.c:125
#4  0x080563b6 in sx_can_read (s=0x810fd08) at io.c:218
#5  0x08050c65 in _c2s_client_mio_callback (m=0x8088ef8, a=action_READ, fd=0x8159660, data=0x0, arg=0x80f58f0) at c2s.c:436
#6  0x0805c7d1 in _mio_run (m=0x8088ef8, timeout=5) at mio_impl.h:256
#7  0x08053225 in main (argc=134658740, argv=0xf7ff24f8) at main.c:645

Change History

Changed 13 months ago by jack

Note that looking through the stack frame for #2, s and p are both fine. p->index is 0, but s->plugin_data[0] is NULL. It appears that somewhere along the way the plugin_data never got set.

Changed 13 months ago by smoku

  • status changed from new to assigned

I think it may happen, if the <response> packet is sent before the <auth> packet was sent. Wee need to check for that NULL session descriptor.

Changed 13 months ago by smoku

  • status changed from assigned to closed
  • resolution set to fixed

(In [356]) Check for SASL <response/> before <auth/> - fixes #139

Changed 13 months ago by smoku

(In [357]) Check for SASL <response/> before <auth/> - fixes #139

Changed 13 months ago by tofu

In change 356 in sasl_gsasl.c you take out line 354. I am curious why you did that? It seems gsasl_step and still fail or return something we do not want it to. Is this not the case?

Changed 13 months ago by smoku

Could you be more specific? What line are you talking about and how is gsasl_step() failing?

Changed 13 months ago by tofu

I have not gotten it to fail, which is great! In sasl_gsasl.c you removed the following at line 354. 

354	 	        if(ret != GSASL_OK && ret != GSASL_NEEDS_MORE) { 
355	 	            _sx_debug(ZONE, "gsasl_step failed, no sasl for this conn; (%d): %s", ret, gsasl_strerror(ret)); 
356	 	            _sx_nad_write(s, _sx_sasl_failure(s, _sasl_err_MALFORMED_REQUEST), 0); 
357	 	            if(out != NULL) free(out); 
358	 	            if(buf != NULL) free(buf); 
359	 	            return; 
360	 	        }

I was just wondering why and wouldnt it create problems if gsasl_step did fail?

Changed 13 months ago by smoku

It will skip the following two if()s and fail exactly the same way then, so the block is unneded.

Note: See TracTickets for help on using tickets.