Bug 773699

Summary: cvs has a backtrace when using fuzzed proxy server
Product: Red Hat Enterprise Linux 6 Reporter: Petr Sklenar <psklenar>
Component: cvsAssignee: Petr Pisar <ppisar>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 782344 798701 (view as bug list) Environment:
Last Closed: 2012-02-06 13:58:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Sklenar 2012-01-12 16:16:37 UTC 
Description of problem:
cvs has a backtrace when using fuzzed proxy server.
Fuzzed proxy server can be simulation of poor proxy or bad net infrastructure. 

Version-Release number of selected component (if applicable):
cvs-1.11.23-11.el6_0.1.i686

How reproducible:
it needs some luck

Steps to Reproduce:
1, you need to have proxyfuzz tool
http://www.secforce.com/media/tools/proxyfuzz.py.txt
and change line 127 to 0.1% of buggy bytes:
n = int(l*1/1000)

2. echo $CVS_PROXY
http://127.0.0.1:910

3. # start squid on port 911
^ you can set up squid.conf by:

sed -i 's/^http_port.*/http_port 911/' /etc/squid/squid.conf
sed -i 's/.*http_access deny CONNECT.*/#nothing/' /etc/squid/squid.conf

4. python /tmp/proxyfuzz -l 910 -r 127.0.0.1 -p 911 -v -c
# it will create proxy between port 910 and 911

5. set up basic cvs server just to be able use: cvs history

6. cvs -d ":pserver:bz538376-26712:redhat.0.1:/var/cvs" history

Actual results:
after 10 attempt of cvs history there is Backtrace

Expected results:
no backtrace
there is error message

Additional info:

# cvs -d ":pserver:bz538376-26712:redhat.0.1:/var/cvs" history
*** glibc detected *** cvs: double free or corruption (out): 0x088a5448 ***
======= Backtrace: =========
/lib/libc.so.6[0x84ba31]
cvs[0x805a324]
cvs[0x805b06f]
cvs[0x806b8cb]
cvs[0x8077f7d]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f3ce6]
cvs[0x804ae11]
======= Memory map: ========
00101000-0014a000 r-xp 00000000 fd:00 310927     /lib/libfreebl3.so
0014a000-0014b000 r--p 00048000 fd:00 310927     /lib/libfreebl3.so
0014b000-0014c000 rw-p 00049000 fd:00 310927     /lib/libfreebl3.so
0014c000-00150000 rw-p 00000000 00:00 0 
00150000-00167000 r-xp 00000000 fd:00 276132     /lib/libpthread-2.12.so
00167000-00168000 r--p 00016000 fd:00 276132     /lib/libpthread-2.12.so
00168000-00169000 rw-p 00017000 fd:00 276132     /lib/libpthread-2.12.so
00169000-0016b000 rw-p 00000000 00:00 0 
0016b000-00177000 r-xp 00000000 fd:00 264749     /lib/libnss_files-2.12.so
00177000-00178000 r--p 0000b000 fd:00 264749     /lib/libnss_files-2.12.so
00178000-00179000 rw-p 0000c000 fd:00 264749     /lib/libnss_files-2.12.so
0019d000-001d9000 r-xp 00000000 fd:00 310949     /lib/libgssapi_krb5.so.2.2
001d9000-001da000 ---p 0003c000 fd:00 310949     /lib/libgssapi_krb5.so.2.2
001da000-001db000 r--p 0003c000 fd:00 310949     /lib/libgssapi_krb5.so.2.2
001db000-001dc000 rw-p 0003d000 fd:00 310949     /lib/libgssapi_krb5.so.2.2
001de000-00207000 r-xp 00000000 fd:00 310946     /lib/libk5crypto.so.3.1
00207000-00208000 ---p 00029000 fd:00 310946     /lib/libk5crypto.so.3.1
00208000-00209000 r--p 00029000 fd:00 310946     /lib/libk5crypto.so.3.1
00209000-0020a000 rw-p 0002a000 fd:00 310946     /lib/libk5crypto.so.3.1
0020c000-00215000 r-xp 00000000 fd:00 310945     /lib/libkrb5support.so.0.1
00215000-00216000 r--p 00008000 fd:00 310945     /lib/libkrb5support.so.0.1
00216000-00217000 rw-p 00009000 fd:00 310945     /lib/libkrb5support.so.0.1
00219000-0021b000 r-xp 00000000 fd:00 310944     /lib/libkeyutils.so.1.3
0021b000-0021c000 r--p 00001000 fd:00 310944     /lib/libkeyutils.so.1.3
0021c000-0021d000 rw-p 00002000 fd:00 310944     /lib/libkeyutils.so.1.3
0021f000-002ee000 r-xp 00000000 fd:00 310948     /lib/libkrb5.so.3.3
002ee000-002f4000 r--p 000ce000 fd:00 310948     /lib/libkrb5.so.3.3
002f4000-002f5000 rw-p 000d4000 fd:00 310948     /lib/libkrb5.so.3.3
007b7000-007d5000 r-xp 00000000 fd:00 310903     /lib/ld-2.12.so
007d5000-007d6000 r--p 0001d000 fd:00 310903     /lib/ld-2.12.so
007d6000-007d7000 rw-p 0001e000 fd:00 310903     /lib/ld-2.12.so
007dd000-00966000 r-xp 00000000 fd:00 310904     /lib/libc-2.12.so
00966000-00967000 ---p 00189000 fd:00 310904     /lib/libc-2.12.so
00967000-00969000 r--p 00189000 fd:00 310904     /lib/libc-2.12.so
00969000-0096a000 rw-p 0018b000 fd:00 310904     /lib/libc-2.12.so
0096a000-0096d000 rw-p 00000000 00:00 0 
0096f000-00972000 r-xp 00000000 fd:00 310911     /lib/libdl-2.12.so
00972000-00973000 r--p 00002000 fd:00 310911     /lib/libdl-2.12.so
00973000-00974000 rw-p 00003000 fd:00 310911     /lib/libdl-2.12.so
0097c000-0097d000 r-xp 00000000 00:00 0          [vdso]
00993000-0099f000 r-xp 00000000 fd:00 310929     /lib/libpam.so.0.82.2
0099f000-009a0000 r--p 0000b000 fd:00 310929     /lib/libpam.so.0.82.2
009a0000-009a1000 rw-p 0000c000 fd:00 310929     /lib/libpam.so.0.82.2
009bf000-009d1000 r-xp 00000000 fd:00 265415     /lib/libz.so.1.2.3
009d1000-009d2000 r--p 00011000 fd:00 265415     /lib/libz.so.1.2.3
009d2000-009d3000 rw-p 00012000 fd:00 265415     /lib/libz.so.1.2.3
00a65000-00a7c000 r-xp 00000000 fd:00 268533     /lib/libnsl-2.12.so
00a7c000-00a7d000 r--p 00016000 fd:00 268533     /lib/libnsl-2.12.so
00a7d000-00a7e000 rw-p 00017000 fd:00 268533     /lib/libnsl-2.12.so
00a7e000-00a80000 rw-p 00000000 00:00 0 
00acb000-00ae8000 r-xp 00000000 fd:00 277417     /lib/libselinux.so.1
00ae8000-00ae9000 r--p 0001c000 fd:00 277417     /lib/libselinux.so.1
00ae9000-00aea000 rw-p 0001d000 fd:00 277417     /lib/libselinux.so.1
00aec000-00b09000 r-xp 00000000 fd:00 271325     /lib/libgcc_s-4.4.6-20110824.so.1
00b09000-00b0a000 rw-p 0001d000 fd:00 271325     /lib/libgcc_s-4.4.6-20110824.so.1
00b17000-00b2d000 r-xp 00000000 fd:00 307876     /lib/libaudit.so.1.0.0
00b2d000-00b2e000 r--p 00015000 fd:00 307876     /lib/libaudit.so.1.0.0
00b2e000-00b2f000 rw-p 00016000 fd:00 307876     /lib/libaudit.so.1.0.0
00bfb000-00c10000 r-xp 00000000 fd:00 279669     /lib/libresolv-2.12.so
00c10000-00c11000 ---p 00015000 fd:00 279669     /lib/libresolv-2.12.so
00c11000-00c12000 r--p 00015000 fd:00 279669     /lib/libresolv-2.12.so
00c12000-00c13000 rw-p 00016000 fd:00 279669     /lib/libresolv-2.12.so
00c13000-00c15000 rw-p 00000000 00:00 0 
00d6a000-00d6d000 r-xp 00000000 fd:00 310947     /lib/libcom_err.so.2.1
00d6d000-00d6e000 r--p 00002000 fd:00 310947     /lib/libcom_err.so.2.1
00d6e000-00d6f000 rw-p 00003000 fd:00 310947     /lib/libcom_err.so.2.1
00d71000-00d78000 r-xp 00000000 fd:00 310928     /lib/libcrypt-2.12.so
00d78000-00d79000 r--p 00007000 fd:00 310928     /lib/libcrypt-2.12.so
00d79000-00d7a000 rw-p 00008000 fd:00 310928     /lib/libcrypt-2.12.so
00d7a000-00da1000 rw-p 00000000 00:00 0 
08047000-080e1000 r-xp 00000000 fd:00 266753     /usr/bin/cvs
080e1000-080e3000 rw-p 00099000 fd:00 266753     /usr/bin/cvs
080e3000-080e4000 rw-p 00000000 00:00 0 
088a0000-088c1000 rw-p 00000000 00:00 0          [heap]
b7834000-b7839000 rw-p 00000000 00:00 0 
b7842000-b7846000 rw-p 00000000 00:00 0 
bfe8e000-bfea3000 rw-p 00000000 00:00 0          [stack]
cvs [history aborted]: received abort signal
--------------------------------------------------------------


=============================
= this is TCP communication =
=============================

#
Client ------> server
#
'CONNECT 127.0.0.1:2401 HTTP/1.0\r\n\r\n'
#
Server ------> Client
#
'HTTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP/1.0 200 Connection established\r\n\r\n'
Comment 2 Petr Pisar 2012-01-13 14:24:30 UTC 
The invalid free is called from frame #5:

#5  0x0805a324 in proxy_connect (root=0x80e7b98, to_server_p=0x80e2ba4, from_server_p=0x80e2ba8, verify_only=0, do_gssapi=0) at client.c:3886
        read_buf = 0x80e9420 'A' <repeats 189 times>, "1.0"
        codenum = 200
        write_buf = 0x80e92d8 "HTTP/", 'A' <repeats 195 times>...
        len = <value optimized out>
#6  connect_to_pserver (root=0x80e7b98, to_server_p=0x80e2ba4, from_server_p=0x80e2ba8, verify_only=0, do_gssapi=0) at client.c:3828
        sock = <value optimized out>
        port_number = 2401
        gerr = <value optimized out>
        hints = {ai_flags = 0, ai_family = 0, ai_socktype = 1, ai_protocol = 0, ai_addrlen = 0, ai_addr = 0x0, ai_canonname = 0x0, ai_next = 0x0}
        res = <value optimized out>
        res0 = 0x80e8fd0
        pbuf = "910\000|A\016\bh\177\016\b\350\354\377\277\362\246\200\000j\177\016\b\274\331\v\b\f\000\000"
        local_to_server = 0x80e8738
        local_from_server = 0x80e8778
        p_hostname = 0x80e7c38 "127.0.0.1"
#7  0x0805b06f in start_server () at client.c:4455
        rootless = <value optimized out>
        log = 0x0
#8  0x0806b8cb in history (argc=0, argv=0xbfffef54) at history.c:562
        f1 = <value optimized out>
        mod = <value optimized out>
        i = <value optimized out>
        c = <value optimized out>
        fname = <value optimized out>
#9  0x08077f7d in main (argc=1, argv=0xbfffef50) at main.c:990
        CVSroot_parsed = <value optimized out>
        cvsroot_update_env = 1
        cp = <value optimized out>
        end = 0x968ff4 "|\215\226"
        cm = <value optimized out>
        c = <value optimized out>
        err = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        tmpdir_update_env = 47
        free_Editor = 0
        free_Tmpdir = 0
        help = 0
        short_options = "+46Qqrwtnvb:T:e:d:Hfz:s:xa"
        long_options = {{name = 0x80c4a17 "help", has_arg = 0, flag = 0x0, val = 72}, {name = 0x80c4a09 "version", has_arg = 0, flag = 0x0, val = 118}, {
            name = 0x80c4a1c "help-commands", has_arg = 0, flag = 0x0, val = 1}, {name = 0x80c4a2a "help-synonyms", has_arg = 0, flag = 0x0, val = 2}, {
            name = 0x80c4a38 "help-options", has_arg = 0, flag = 0x0, val = 4}, {name = 0x80c4a45 "allow-root", has_arg = 1, flag = 0x0, val = 3}, {name = 0x0, has_arg = 0, 
            flag = 0x0, val = 0}}
        option_index = 0
        __PRETTY_FUNCTION__ = "main"
Comment 4 Tomas Hoger 2012-02-06 13:58:12 UTC 

*** This bug has been marked as a duplicate of bug 784338 ***