Opened 8 years ago

Last modified 6 years ago

#14430 new defect

IBB receiver reads struct after free (at completion of transfer)

Reported by: darkrain42 Owned by: malu
Milestone: Component: XMPP
Version: 2.9.0 Keywords:
Cc:

Description (last modified by darkrain42)

While trying to reproduce another file transfer situation, I ran across this in valgrind.

(22:40:44) jabber: Recv (ssl)(1397): <iq id='purple267a717a' type='set' to='me' from='my friend'>
<data xmlns='http://jabber.org/protocol/ibb' seq='1' sid='purple267a7176'>
FTFfsOWgeAtyoZlOJ5pKHnKMsmU0lVYg8Kfq31U6qgKFhJQ
KwcEp6NoiadtBwBCtT2KcZSAUSaQTyKnJ8pRfLzCegkcsbdWFwZOULS1LSoaT47TJlOC
J7WyWqq9nlrcshoKCUIJzHM+Zsazd/e1pfWrgRmJ+4ZkCtoOYu7mW5nWTTo58GiBcihA
faNL2J2Bu0fMRasNjarY2EQMhw4gTRuq0tQSJhZTWijOnurlCdRrJhxwl+CIxq3ZqQso
WKSUneSQ4SSnbAz4BJTc9/ojkVORYG38DBMWSzG0oKbJEKYiE7Nd4wat12gFbc6wjwre
heQFUypSEF1QcH8S0cQQw6PiDgHIlEK7hsK62iyUNQrqJlOCUESMe5AosdvxWcpSqMVt
otrYFQuLkNhyU85wYVnRlhE27OsSptGczgXGVezTTziplMpqiZBJ57t1zkqUSG2qZlAx
TsG41MwV2SU4xtA0lDLaRBolTddnxYpJSoEEWZJBsQd2ArRWC4YYVuSVhK0k6Gtmhqr8
dJWNWh2EH1ZCrESA56sSLV8ElwKapGWyBtWdiZdsm8xtQMmy0BuOI4/hbVkxYFbakZaw
kDJj9Hc3Ls5fVCYQu7NkF5SwdjUG1JKbbAwWIUkt0AMTQL+zxTFmXr8xB7Mw5+odSbfC
kr6Z3npijOSmLToiA9XKJDM4+CRdmThskL41Q1y59gvaMWJ2JGRKeyQszieDOdMdHlCS
IfJ0qDNl3Z2a1VPXcg88vWitB+Jl2ULGNPhlvZFlTzQ1bKsDqRe1Qqc7LIZyY+Rkhgz1
CRoaDasQZnoIUJfTl4Rsr8ZflF0uZ12vGNFd9QcXvJnCo0MQxPr4XhRi11mKR2GTqFtm
3QrB6zj6a23VWUeuMIYRPbMW0KXCNRVGai7YmxyVokJT+FTF/6RcDfxe0/pEU5eznLIU
KDrx1aIZmxIOkLOIxu0J+rQzCJdIjsu5AdlQb5BscLkYxQIXaJbkEiEE5vefVkETPXBj
kyTT9CdvS9RMgZY1h9w3MxImz/U7A5Lx7JmPROFaMVNEoLuXxxyKeYicQqpgpMDSFd/y
g2+CiX2Mh08rGJmMh1qGdPU0utHxUIkLJaMbvBwcYZPoZQG5DJKxyQdInw6m3Oh1vFK2
bRGAv0NqheblBhDypUYfEpr1TMSd2KJX024kzh4AqGauEhayQlI+n0ONLTeP/4u5Ipwo
SD7LyxQA=</data></iq>
(22:40:44) jabber: got 908 bytes of data on IBB stream
(22:40:44) jabber: calling IBB callback for received data
(22:40:44) jabber: about to write 908 bytes from IBB stream
(22:40:44) xfer: Prpl (and UI) ready on ft 0x219548f0, so proceeding
(22:40:44) jabber: jabber_si_xfer_free: destroying IBB session
(22:40:44) jabber: IBB: destroying session 0x29e031a0 purple267a7176
(22:40:44) jabber: Sending (ssl) (me): <iq type='set' id='purpleafaa4128' to='my friend'><close xmlns='http://jabber.org/protocol/ibb' sid='purple267a7176'/></iq>
(22:40:44) jabber: jabber_si_xfer_free(): freeing jsx 0x21934360
==25203== Invalid read of size 2
==25203==    at 0x1DB12695: jabber_ibb_parse (ibb.c:455)
==25203==    by 0x1DB1C00A: jabber_process_packet (jabber.c:345)
==25203==    by 0x1DB28FA6: jabber_parser_element_end_libxml (parser.c:169)
==25203==    by 0x6345A92: ??? (in /usr/lib/libxml2.so.2.7.8)
==25203==    by 0x634C92F: ??? (in /usr/lib/libxml2.so.2.7.8)
==25203==    by 0x634E0A7: xmlParseChunk (in /usr/lib/libxml2.so.2.7.8)
==25203==    by 0x1DB2901C: jabber_parser_process (parser.c:279)
==25203==    by 0x1DB17E91: jabber_recv_cb_ssl (jabber.c:659)
==25203==    by 0x46E87D: pidgin_io_invoke (gtkeventloop.c:73)
==25203==    by 0x90044A2: g_main_context_dispatch (gmain.c:2440)
==25203==    by 0x9004C7F: g_main_context_iterate.clone.6 (gmain.c:3091)
==25203==    by 0x90052F1: g_main_loop_run (gmain.c:3299)
==25203==    by 0x679AA76: gtk_main (gtkmain.c:1256)
==25203==    by 0x435858: main (gtkmain.c:934)
==25203==  Address 0x29e031c2 is 34 bytes inside a block of size 112 free'd
==25203==    at 0x4C268FE: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25203==    by 0x1DB2D7C6: jabber_si_xfer_free (si.c:1357)
==25203==    by 0x9319E11: purple_xfer_end (ft.c:1453)
==25203==    by 0x931A81A: do_transfer (ft.c:1262)
==25203==    by 0x1DB1268C: jabber_ibb_parse (ibb.c:442)
==25203==    by 0x1DB1C00A: jabber_process_packet (jabber.c:345)
==25203==    by 0x1DB28FA6: jabber_parser_element_end_libxml (parser.c:169)
==25203==    by 0x6345A92: ??? (in /usr/lib/libxml2.so.2.7.8)
==25203==    by 0x634C92F: ??? (in /usr/lib/libxml2.so.2.7.8)
==25203==    by 0x634E0A7: xmlParseChunk (in /usr/lib/libxml2.so.2.7.8)
==25203==    by 0x1DB2901C: jabber_parser_process (parser.c:279)
==25203==    by 0x1DB17E91: jabber_recv_cb_ssl (jabber.c:659)
==25203==    by 0x46E87D: pidgin_io_invoke (gtkeventloop.c:73)
==25203==    by 0x90044A2: g_main_context_dispatch (gmain.c:2440)
==25203==    by 0x9004C7F: g_main_context_iterate.clone.6 (gmain.c:3091)
==25203==    by 0x90052F1: g_main_loop_run (gmain.c:3299)
==25203==    by 0x679AA76: gtk_main (gtkmain.c:1256)
==25203==    by 0x435858: main (gtkmain.c:934)
==25203== 

Change History (2)

comment:1 Changed 8 years ago by darkrain42

  • Description modified (diff)

Just line-wrapping it (the unlinewrapped version is what was received; and this isn't relevant to the use-after-free)

comment:2 Changed 6 years ago by tomkiewicz

Looks like a duplicate of #14386.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!