Hide Forgot
Description of problem: cvs has a backtrace when using fuzzed proxy server. Fuzzed proxy server can be simulation of poor proxy or bad net infrastructure. Version-Release number of selected component (if applicable): cvs-1.11.23-11.el6_0.1.i686 How reproducible: it needs some luck Steps to Reproduce: 1, you need to have proxyfuzz tool http://www.secforce.com/media/tools/proxyfuzz.py.txt and change line 127 to 0.1% of buggy bytes: n = int(l*1/1000) 2. echo $CVS_PROXY http://127.0.0.1:910 3. # start squid on port 911 ^ you can set up squid.conf by: sed -i 's/^http_port.*/http_port 911/' /etc/squid/squid.conf sed -i 's/.*http_access deny CONNECT.*/#nothing/' /etc/squid/squid.conf 4. python /tmp/proxyfuzz -l 910 -r 127.0.0.1 -p 911 -v -c # it will create proxy between port 910 and 911 5. set up basic cvs server just to be able use: cvs history 6. cvs -d ":pserver:bz538376-26712:redhat.0.1:/var/cvs" history Actual results: after 10 attempt of cvs history there is Backtrace Expected results: no backtrace there is error message Additional info: # cvs -d ":pserver:bz538376-26712:redhat.0.1:/var/cvs" history *** glibc detected *** cvs: double free or corruption (out): 0x088a5448 *** ======= Backtrace: ========= /lib/libc.so.6[0x84ba31] cvs[0x805a324] cvs[0x805b06f] cvs[0x806b8cb] cvs[0x8077f7d] /lib/libc.so.6(__libc_start_main+0xe6)[0x7f3ce6] cvs[0x804ae11] ======= Memory map: ======== 00101000-0014a000 r-xp 00000000 fd:00 310927 /lib/libfreebl3.so 0014a000-0014b000 r--p 00048000 fd:00 310927 /lib/libfreebl3.so 0014b000-0014c000 rw-p 00049000 fd:00 310927 /lib/libfreebl3.so 0014c000-00150000 rw-p 00000000 00:00 0 00150000-00167000 r-xp 00000000 fd:00 276132 /lib/libpthread-2.12.so 00167000-00168000 r--p 00016000 fd:00 276132 /lib/libpthread-2.12.so 00168000-00169000 rw-p 00017000 fd:00 276132 /lib/libpthread-2.12.so 00169000-0016b000 rw-p 00000000 00:00 0 0016b000-00177000 r-xp 00000000 fd:00 264749 /lib/libnss_files-2.12.so 00177000-00178000 r--p 0000b000 fd:00 264749 /lib/libnss_files-2.12.so 00178000-00179000 rw-p 0000c000 fd:00 264749 /lib/libnss_files-2.12.so 0019d000-001d9000 r-xp 00000000 fd:00 310949 /lib/libgssapi_krb5.so.2.2 001d9000-001da000 ---p 0003c000 fd:00 310949 /lib/libgssapi_krb5.so.2.2 001da000-001db000 r--p 0003c000 fd:00 310949 /lib/libgssapi_krb5.so.2.2 001db000-001dc000 rw-p 0003d000 fd:00 310949 /lib/libgssapi_krb5.so.2.2 001de000-00207000 r-xp 00000000 fd:00 310946 /lib/libk5crypto.so.3.1 00207000-00208000 ---p 00029000 fd:00 310946 /lib/libk5crypto.so.3.1 00208000-00209000 r--p 00029000 fd:00 310946 /lib/libk5crypto.so.3.1 00209000-0020a000 rw-p 0002a000 fd:00 310946 /lib/libk5crypto.so.3.1 0020c000-00215000 r-xp 00000000 fd:00 310945 /lib/libkrb5support.so.0.1 00215000-00216000 r--p 00008000 fd:00 310945 /lib/libkrb5support.so.0.1 00216000-00217000 rw-p 00009000 fd:00 310945 /lib/libkrb5support.so.0.1 00219000-0021b000 r-xp 00000000 fd:00 310944 /lib/libkeyutils.so.1.3 0021b000-0021c000 r--p 00001000 fd:00 310944 /lib/libkeyutils.so.1.3 0021c000-0021d000 rw-p 00002000 fd:00 310944 /lib/libkeyutils.so.1.3 0021f000-002ee000 r-xp 00000000 fd:00 310948 /lib/libkrb5.so.3.3 002ee000-002f4000 r--p 000ce000 fd:00 310948 /lib/libkrb5.so.3.3 002f4000-002f5000 rw-p 000d4000 fd:00 310948 /lib/libkrb5.so.3.3 007b7000-007d5000 r-xp 00000000 fd:00 310903 /lib/ld-2.12.so 007d5000-007d6000 r--p 0001d000 fd:00 310903 /lib/ld-2.12.so 007d6000-007d7000 rw-p 0001e000 fd:00 310903 /lib/ld-2.12.so 007dd000-00966000 r-xp 00000000 fd:00 310904 /lib/libc-2.12.so 00966000-00967000 ---p 00189000 fd:00 310904 /lib/libc-2.12.so 00967000-00969000 r--p 00189000 fd:00 310904 /lib/libc-2.12.so 00969000-0096a000 rw-p 0018b000 fd:00 310904 /lib/libc-2.12.so 0096a000-0096d000 rw-p 00000000 00:00 0 0096f000-00972000 r-xp 00000000 fd:00 310911 /lib/libdl-2.12.so 00972000-00973000 r--p 00002000 fd:00 310911 /lib/libdl-2.12.so 00973000-00974000 rw-p 00003000 fd:00 310911 /lib/libdl-2.12.so 0097c000-0097d000 r-xp 00000000 00:00 0 [vdso] 00993000-0099f000 r-xp 00000000 fd:00 310929 /lib/libpam.so.0.82.2 0099f000-009a0000 r--p 0000b000 fd:00 310929 /lib/libpam.so.0.82.2 009a0000-009a1000 rw-p 0000c000 fd:00 310929 /lib/libpam.so.0.82.2 009bf000-009d1000 r-xp 00000000 fd:00 265415 /lib/libz.so.1.2.3 009d1000-009d2000 r--p 00011000 fd:00 265415 /lib/libz.so.1.2.3 009d2000-009d3000 rw-p 00012000 fd:00 265415 /lib/libz.so.1.2.3 00a65000-00a7c000 r-xp 00000000 fd:00 268533 /lib/libnsl-2.12.so 00a7c000-00a7d000 r--p 00016000 fd:00 268533 /lib/libnsl-2.12.so 00a7d000-00a7e000 rw-p 00017000 fd:00 268533 /lib/libnsl-2.12.so 00a7e000-00a80000 rw-p 00000000 00:00 0 00acb000-00ae8000 r-xp 00000000 fd:00 277417 /lib/libselinux.so.1 00ae8000-00ae9000 r--p 0001c000 fd:00 277417 /lib/libselinux.so.1 00ae9000-00aea000 rw-p 0001d000 fd:00 277417 /lib/libselinux.so.1 00aec000-00b09000 r-xp 00000000 fd:00 271325 /lib/libgcc_s-4.4.6-20110824.so.1 00b09000-00b0a000 rw-p 0001d000 fd:00 271325 /lib/libgcc_s-4.4.6-20110824.so.1 00b17000-00b2d000 r-xp 00000000 fd:00 307876 /lib/libaudit.so.1.0.0 00b2d000-00b2e000 r--p 00015000 fd:00 307876 /lib/libaudit.so.1.0.0 00b2e000-00b2f000 rw-p 00016000 fd:00 307876 /lib/libaudit.so.1.0.0 00bfb000-00c10000 r-xp 00000000 fd:00 279669 /lib/libresolv-2.12.so 00c10000-00c11000 ---p 00015000 fd:00 279669 /lib/libresolv-2.12.so 00c11000-00c12000 r--p 00015000 fd:00 279669 /lib/libresolv-2.12.so 00c12000-00c13000 rw-p 00016000 fd:00 279669 /lib/libresolv-2.12.so 00c13000-00c15000 rw-p 00000000 00:00 0 00d6a000-00d6d000 r-xp 00000000 fd:00 310947 /lib/libcom_err.so.2.1 00d6d000-00d6e000 r--p 00002000 fd:00 310947 /lib/libcom_err.so.2.1 00d6e000-00d6f000 rw-p 00003000 fd:00 310947 /lib/libcom_err.so.2.1 00d71000-00d78000 r-xp 00000000 fd:00 310928 /lib/libcrypt-2.12.so 00d78000-00d79000 r--p 00007000 fd:00 310928 /lib/libcrypt-2.12.so 00d79000-00d7a000 rw-p 00008000 fd:00 310928 /lib/libcrypt-2.12.so 00d7a000-00da1000 rw-p 00000000 00:00 0 08047000-080e1000 r-xp 00000000 fd:00 266753 /usr/bin/cvs 080e1000-080e3000 rw-p 00099000 fd:00 266753 /usr/bin/cvs 080e3000-080e4000 rw-p 00000000 00:00 0 088a0000-088c1000 rw-p 00000000 00:00 0 [heap] b7834000-b7839000 rw-p 00000000 00:00 0 b7842000-b7846000 rw-p 00000000 00:00 0 bfe8e000-bfea3000 rw-p 00000000 00:00 0 [stack] cvs [history aborted]: received abort signal -------------------------------------------------------------- ============================= = this is TCP communication = ============================= # Client ------> server # 'CONNECT 127.0.0.1:2401 HTTP/1.0\r\n\r\n' # Server ------> Client # 'HTTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP/1.0 200 Connection established\r\n\r\n'
The invalid free is called from frame #5: #5 0x0805a324 in proxy_connect (root=0x80e7b98, to_server_p=0x80e2ba4, from_server_p=0x80e2ba8, verify_only=0, do_gssapi=0) at client.c:3886 read_buf = 0x80e9420 'A' <repeats 189 times>, "1.0" codenum = 200 write_buf = 0x80e92d8 "HTTP/", 'A' <repeats 195 times>... len = <value optimized out> #6 connect_to_pserver (root=0x80e7b98, to_server_p=0x80e2ba4, from_server_p=0x80e2ba8, verify_only=0, do_gssapi=0) at client.c:3828 sock = <value optimized out> port_number = 2401 gerr = <value optimized out> hints = {ai_flags = 0, ai_family = 0, ai_socktype = 1, ai_protocol = 0, ai_addrlen = 0, ai_addr = 0x0, ai_canonname = 0x0, ai_next = 0x0} res = <value optimized out> res0 = 0x80e8fd0 pbuf = "910\000|A\016\bh\177\016\b\350\354\377\277\362\246\200\000j\177\016\b\274\331\v\b\f\000\000" local_to_server = 0x80e8738 local_from_server = 0x80e8778 p_hostname = 0x80e7c38 "127.0.0.1" #7 0x0805b06f in start_server () at client.c:4455 rootless = <value optimized out> log = 0x0 #8 0x0806b8cb in history (argc=0, argv=0xbfffef54) at history.c:562 f1 = <value optimized out> mod = <value optimized out> i = <value optimized out> c = <value optimized out> fname = <value optimized out> #9 0x08077f7d in main (argc=1, argv=0xbfffef50) at main.c:990 CVSroot_parsed = <value optimized out> cvsroot_update_env = 1 cp = <value optimized out> end = 0x968ff4 "|\215\226" cm = <value optimized out> c = <value optimized out> err = <value optimized out> ---Type <return> to continue, or q <return> to quit--- tmpdir_update_env = 47 free_Editor = 0 free_Tmpdir = 0 help = 0 short_options = "+46Qqrwtnvb:T:e:d:Hfz:s:xa" long_options = {{name = 0x80c4a17 "help", has_arg = 0, flag = 0x0, val = 72}, {name = 0x80c4a09 "version", has_arg = 0, flag = 0x0, val = 118}, { name = 0x80c4a1c "help-commands", has_arg = 0, flag = 0x0, val = 1}, {name = 0x80c4a2a "help-synonyms", has_arg = 0, flag = 0x0, val = 2}, { name = 0x80c4a38 "help-options", has_arg = 0, flag = 0x0, val = 4}, {name = 0x80c4a45 "allow-root", has_arg = 1, flag = 0x0, val = 3}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} option_index = 0 __PRETTY_FUNCTION__ = "main"
*** This bug has been marked as a duplicate of bug 784338 ***