Description of problem: If you play freeciv long enough, an autosave will eventually fail a FORTIFY check and cause the server to die with the autosave file only partially written. Glibc says: *** buffer overflow detected ***: civserver terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x48)[0x4b7b58] /lib/libc.so.6[0x4b6200] civserver[0x8091ab1] civserver[0x8093cc7] civserver[0x80510b2] civserver[0x8051341] civserver[0x805200b] civserver[0x805317e] civserver[0x804a8ad] /lib/libc.so.6(__libc_start_main+0xe0)[0x3e4390] civserver(rl_filename_completion_function+0x339)[0x804a281] ======= Memory map: ======== 00101000-0010c000 r-xp 00000000 fd:00 9864778 /lib/libgcc_s-4.1.2-20070925.so.1 0010c000-0010d000 rwxp 0000a000 fd:00 9864778 /lib/libgcc_s-4.1.2-20070925.so.1 00110000-00111000 r-xp 00110000 00:00 0 [vdso] 00111000-0015e000 r-xp 00000000 fd:00 34153655 /usr/lib/libbind.so.4.0.9 0015e000-00160000 rwxp 0004d000 fd:00 34153655 /usr/lib/libbind.so.4.0.9 0026c000-0029c000 r-xp 00000000 fd:00 32245853 /usr/lib/libreadline.so.5.2 0029c000-002a0000 rwxp 00030000 fd:00 32245853 /usr/lib/libreadline.so.5.2 002a0000-002a1000 rwxp 002a0000 00:00 0 002ed000-00302000 r-xp 00000000 fd:00 9863239 /lib/libtinfo.so.5.6 00302000-00305000 rwxp 00014000 fd:00 9863239 /lib/libtinfo.so.5.6 003af000-003ca000 r-xp 00000000 fd:00 9864753 /lib/ld-2.7.so 003ca000-003cb000 r-xp 0001a000 fd:00 9864753 /lib/ld-2.7.so 003cb000-003cc000 rwxp 0001b000 fd:00 9864753 /lib/ld-2.7.so 003ce000-00521000 r-xp 00000000 fd:00 9864754 /lib/libc-2.7.so 00521000-00523000 r-xp 00153000 fd:00 9864754 /lib/libc-2.7.so 00523000-00524000 rwxp 00155000 fd:00 9864754 /lib/libc-2.7.so 00524000-00527000 rwxp 00524000 00:00 0 00529000-00550000 r-xp 00000000 fd:00 9864758 /lib/libm-2.7.so 00550000-00551000 r-xp 00026000 fd:00 9864758 /lib/libm-2.7.so 00551000-00552000 rwxp 00027000 fd:00 9864758 /lib/libm-2.7.so 0055b000-00570000 r-xp 00000000 fd:00 9864756 /lib/libpthread-2.7.so 00570000-00571000 r-xp 00014000 fd:00 9864756 /lib/libpthread-2.7.so 00571000-00572000 rwxp 00015000 fd:00 9864756 /lib/libpthread-2.7.so 00572000-00574000 rwxp 00572000 00:00 0 00576000-00588000 r-xp 00000000 fd:00 9864757 /lib/libz.so.1.2.3 00588000-00589000 rwxp 00011000 fd:00 9864757 /lib/libz.so.1.2.3 00b2c000-00b41000 r-xp 00000000 fd:00 9864767 /lib/libnsl-2.7.so 00b41000-00b42000 r-xp 00014000 fd:00 9864767 /lib/libnsl-2.7.so 00b42000-00b43000 rwxp 00015000 fd:00 9864767 /lib/libnsl-2.7.so 00b43000-00b45000 rwxp 00b43000 00:00 0 08047000-0819a000 r-xp 00000000 fd:00 34167870 /usr/bin/civserver 0819a000-0819d000 rw-p 00153000 fd:00 34167870 /usr/bin/civserver 0819d000-082f3000 rw-p 0819d000 00:00 0 09f79000-0aa27000 rw-p 09f79000 00:00 0 b7c31000-b7ce2000 rw-p b7c31000 00:00 0 b7d43000-b7f43000 r--p 00000000 fd:00 34147534 /usr/lib/locale/locale-archive b7f43000-b7f46000 rw-p b7f43000 00:00 0 b7f51000-b7f74000 rw-p b7f51000 00:00 0 b7f74000-b7f7b000 r--s 00000000 fd:00 34277598 /usr/lib/gconv/gconv-modules.cache bfb76000-bfbc4000 rw-p bffb1000 00:00 0 [stack] 2: lost connection to server With gdb, I was able to determine that the dying address corresponds to the memcpy on line 3366 of server/savegame.c. Version-Release number of selected component (if applicable): freeciv-2.1.0-1.fc8 How reproducible: Always, if I play long enough. It can take a couple of hours of playing to trigger the bug. Steps to Reproduce: 1. Play freeciv for a couple of hours Actual results: An autosave triggers a FORTIFY failure, causing the server to shut down. Expected results: The autosave should succeed. Additional info:
I see the problem. The part array, declared at line 3342, has size PART_SIZE + 1. The variable bytes_adjust, declared at line 3339, is set to bytes_at_colon % 3; i.e., its value is 0, 1, or 2. The variable size_of_current_part, declared at line 3363, is PART_SIZE + bytes_adjust; i.e., it is at most PART_SIZE + 2. But then the offending memcpy copies size_of_current_part bytes into part, possibly overflowing it by one byte. The fix is to declare part as having size PART_SIZE + 2.
I have now filed this bug upstream (#39898), and supplied them with a patch. See the bug URL.
freeciv-2.1.0-2.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update freeciv'
freeciv-2.1.1-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update freeciv'
freeciv-2.1.1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.