RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 773699 - cvs has a backtrace when using fuzzed proxy server
Summary: cvs has a backtrace when using fuzzed proxy server
Keywords:
Status: CLOSED DUPLICATE of bug 784338
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: cvs
Version: 6.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Petr Pisar
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-12 16:16 UTC by Petr Sklenar
Modified: 2012-02-29 16:47 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 782344 798701 (view as bug list)
Environment:
Last Closed: 2012-02-06 13:58:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Petr Sklenar 2012-01-12 16:16:37 UTC 
Description of problem:
cvs has a backtrace when using fuzzed proxy server.
Fuzzed proxy server can be simulation of poor proxy or bad net infrastructure. 

Version-Release number of selected component (if applicable):
cvs-1.11.23-11.el6_0.1.i686

How reproducible:
it needs some luck

Steps to Reproduce:
1, you need to have proxyfuzz tool
http://www.secforce.com/media/tools/proxyfuzz.py.txt
and change line 127 to 0.1% of buggy bytes:
n = int(l*1/1000)

2. echo $CVS_PROXY
http://127.0.0.1:910

3. # start squid on port 911
^ you can set up squid.conf by:

sed -i 's/^http_port.*/http_port 911/' /etc/squid/squid.conf
sed -i 's/.*http_access deny CONNECT.*/#nothing/' /etc/squid/squid.conf

4. python /tmp/proxyfuzz -l 910 -r 127.0.0.1 -p 911 -v -c
# it will create proxy between port 910 and 911

5. set up basic cvs server just to be able use: cvs history

6. cvs -d ":pserver:bz538376-26712:redhat.0.1:/var/cvs" history

Actual results:
after 10 attempt of cvs history there is Backtrace

Expected results:
no backtrace
there is error message

Additional info:

# cvs -d ":pserver:bz538376-26712:redhat.0.1:/var/cvs" history
*** glibc detected *** cvs: double free or corruption (out): 0x088a5448 ***
======= Backtrace: =========
/lib/libc.so.6[0x84ba31]
cvs[0x805a324]
cvs[0x805b06f]
cvs[0x806b8cb]
cvs[0x8077f7d]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f3ce6]
cvs[0x804ae11]
======= Memory map: ========
00101000-0014a000 r-xp 00000000 fd:00 310927     /lib/libfreebl3.so
0014a000-0014b000 r--p 00048000 fd:00 310927     /lib/libfreebl3.so
0014b000-0014c000 rw-p 00049000 fd:00 310927     /lib/libfreebl3.so
0014c000-00150000 rw-p 00000000 00:00 0 
00150000-00167000 r-xp 00000000 fd:00 276132     /lib/libpthread-2.12.so
00167000-00168000 r--p 00016000 fd:00 276132     /lib/libpthread-2.12.so
00168000-00169000 rw-p 00017000 fd:00 276132     /lib/libpthread-2.12.so
00169000-0016b000 rw-p 00000000 00:00 0 
0016b000-00177000 r-xp 00000000 fd:00 264749     /lib/libnss_files-2.12.so
00177000-00178000 r--p 0000b000 fd:00 264749     /lib/libnss_files-2.12.so
00178000-00179000 rw-p 0000c000 fd:00 264749     /lib/libnss_files-2.12.so
0019d000-001d9000 r-xp 00000000 fd:00 310949     /lib/libgssapi_krb5.so.2.2
001d9000-001da000 ---p 0003c000 fd:00 310949     /lib/libgssapi_krb5.so.2.2
001da000-001db000 r--p 0003c000 fd:00 310949     /lib/libgssapi_krb5.so.2.2
001db000-001dc000 rw-p 0003d000 fd:00 310949     /lib/libgssapi_krb5.so.2.2
001de000-00207000 r-xp 00000000 fd:00 310946     /lib/libk5crypto.so.3.1
00207000-00208000 ---p 00029000 fd:00 310946     /lib/libk5crypto.so.3.1
00208000-00209000 r--p 00029000 fd:00 310946     /lib/libk5crypto.so.3.1
00209000-0020a000 rw-p 0002a000 fd:00 310946     /lib/libk5crypto.so.3.1
0020c000-00215000 r-xp 00000000 fd:00 310945     /lib/libkrb5support.so.0.1
00215000-00216000 r--p 00008000 fd:00 310945     /lib/libkrb5support.so.0.1
00216000-00217000 rw-p 00009000 fd:00 310945     /lib/libkrb5support.so.0.1
00219000-0021b000 r-xp 00000000 fd:00 310944     /lib/libkeyutils.so.1.3
0021b000-0021c000 r--p 00001000 fd:00 310944     /lib/libkeyutils.so.1.3
0021c000-0021d000 rw-p 00002000 fd:00 310944     /lib/libkeyutils.so.1.3
0021f000-002ee000 r-xp 00000000 fd:00 310948     /lib/libkrb5.so.3.3
002ee000-002f4000 r--p 000ce000 fd:00 310948     /lib/libkrb5.so.3.3
002f4000-002f5000 rw-p 000d4000 fd:00 310948     /lib/libkrb5.so.3.3
007b7000-007d5000 r-xp 00000000 fd:00 310903     /lib/ld-2.12.so
007d5000-007d6000 r--p 0001d000 fd:00 310903     /lib/ld-2.12.so
007d6000-007d7000 rw-p 0001e000 fd:00 310903     /lib/ld-2.12.so
007dd000-00966000 r-xp 00000000 fd:00 310904     /lib/libc-2.12.so
00966000-00967000 ---p 00189000 fd:00 310904     /lib/libc-2.12.so
00967000-00969000 r--p 00189000 fd:00 310904     /lib/libc-2.12.so
00969000-0096a000 rw-p 0018b000 fd:00 310904     /lib/libc-2.12.so
0096a000-0096d000 rw-p 00000000 00:00 0 
0096f000-00972000 r-xp 00000000 fd:00 310911     /lib/libdl-2.12.so
00972000-00973000 r--p 00002000 fd:00 310911     /lib/libdl-2.12.so
00973000-00974000 rw-p 00003000 fd:00 310911     /lib/libdl-2.12.so
0097c000-0097d000 r-xp 00000000 00:00 0          [vdso]
00993000-0099f000 r-xp 00000000 fd:00 310929     /lib/libpam.so.0.82.2
0099f000-009a0000 r--p 0000b000 fd:00 310929     /lib/libpam.so.0.82.2
009a0000-009a1000 rw-p 0000c000 fd:00 310929     /lib/libpam.so.0.82.2
009bf000-009d1000 r-xp 00000000 fd:00 265415     /lib/libz.so.1.2.3
009d1000-009d2000 r--p 00011000 fd:00 265415     /lib/libz.so.1.2.3
009d2000-009d3000 rw-p 00012000 fd:00 265415     /lib/libz.so.1.2.3
00a65000-00a7c000 r-xp 00000000 fd:00 268533     /lib/libnsl-2.12.so
00a7c000-00a7d000 r--p 00016000 fd:00 268533     /lib/libnsl-2.12.so
00a7d000-00a7e000 rw-p 00017000 fd:00 268533     /lib/libnsl-2.12.so
00a7e000-00a80000 rw-p 00000000 00:00 0 
00acb000-00ae8000 r-xp 00000000 fd:00 277417     /lib/libselinux.so.1
00ae8000-00ae9000 r--p 0001c000 fd:00 277417     /lib/libselinux.so.1
00ae9000-00aea000 rw-p 0001d000 fd:00 277417     /lib/libselinux.so.1
00aec000-00b09000 r-xp 00000000 fd:00 271325     /lib/libgcc_s-4.4.6-20110824.so.1
00b09000-00b0a000 rw-p 0001d000 fd:00 271325     /lib/libgcc_s-4.4.6-20110824.so.1
00b17000-00b2d000 r-xp 00000000 fd:00 307876     /lib/libaudit.so.1.0.0
00b2d000-00b2e000 r--p 00015000 fd:00 307876     /lib/libaudit.so.1.0.0
00b2e000-00b2f000 rw-p 00016000 fd:00 307876     /lib/libaudit.so.1.0.0
00bfb000-00c10000 r-xp 00000000 fd:00 279669     /lib/libresolv-2.12.so
00c10000-00c11000 ---p 00015000 fd:00 279669     /lib/libresolv-2.12.so
00c11000-00c12000 r--p 00015000 fd:00 279669     /lib/libresolv-2.12.so
00c12000-00c13000 rw-p 00016000 fd:00 279669     /lib/libresolv-2.12.so
00c13000-00c15000 rw-p 00000000 00:00 0 
00d6a000-00d6d000 r-xp 00000000 fd:00 310947     /lib/libcom_err.so.2.1
00d6d000-00d6e000 r--p 00002000 fd:00 310947     /lib/libcom_err.so.2.1
00d6e000-00d6f000 rw-p 00003000 fd:00 310947     /lib/libcom_err.so.2.1
00d71000-00d78000 r-xp 00000000 fd:00 310928     /lib/libcrypt-2.12.so
00d78000-00d79000 r--p 00007000 fd:00 310928     /lib/libcrypt-2.12.so
00d79000-00d7a000 rw-p 00008000 fd:00 310928     /lib/libcrypt-2.12.so
00d7a000-00da1000 rw-p 00000000 00:00 0 
08047000-080e1000 r-xp 00000000 fd:00 266753     /usr/bin/cvs
080e1000-080e3000 rw-p 00099000 fd:00 266753     /usr/bin/cvs
080e3000-080e4000 rw-p 00000000 00:00 0 
088a0000-088c1000 rw-p 00000000 00:00 0          [heap]
b7834000-b7839000 rw-p 00000000 00:00 0 
b7842000-b7846000 rw-p 00000000 00:00 0 
bfe8e000-bfea3000 rw-p 00000000 00:00 0          [stack]
cvs [history aborted]: received abort signal
--------------------------------------------------------------


=============================
= this is TCP communication =
=============================

#
Client ------> server
#
'CONNECT 127.0.0.1:2401 HTTP/1.0\r\n\r\n'
#
Server ------> Client
#
'HTTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP/1.0 200 Connection established\r\n\r\n'
Comment 2 Petr Pisar 2012-01-13 14:24:30 UTC 
The invalid free is called from frame #5:

#5  0x0805a324 in proxy_connect (root=0x80e7b98, to_server_p=0x80e2ba4, from_server_p=0x80e2ba8, verify_only=0, do_gssapi=0) at client.c:3886
        read_buf = 0x80e9420 'A' <repeats 189 times>, "1.0"
        codenum = 200
        write_buf = 0x80e92d8 "HTTP/", 'A' <repeats 195 times>...
        len = <value optimized out>
#6  connect_to_pserver (root=0x80e7b98, to_server_p=0x80e2ba4, from_server_p=0x80e2ba8, verify_only=0, do_gssapi=0) at client.c:3828
        sock = <value optimized out>
        port_number = 2401
        gerr = <value optimized out>
        hints = {ai_flags = 0, ai_family = 0, ai_socktype = 1, ai_protocol = 0, ai_addrlen = 0, ai_addr = 0x0, ai_canonname = 0x0, ai_next = 0x0}
        res = <value optimized out>
        res0 = 0x80e8fd0
        pbuf = "910\000|A\016\bh\177\016\b\350\354\377\277\362\246\200\000j\177\016\b\274\331\v\b\f\000\000"
        local_to_server = 0x80e8738
        local_from_server = 0x80e8778
        p_hostname = 0x80e7c38 "127.0.0.1"
#7  0x0805b06f in start_server () at client.c:4455
        rootless = <value optimized out>
        log = 0x0
#8  0x0806b8cb in history (argc=0, argv=0xbfffef54) at history.c:562
        f1 = <value optimized out>
        mod = <value optimized out>
        i = <value optimized out>
        c = <value optimized out>
        fname = <value optimized out>
#9  0x08077f7d in main (argc=1, argv=0xbfffef50) at main.c:990
        CVSroot_parsed = <value optimized out>
        cvsroot_update_env = 1
        cp = <value optimized out>
        end = 0x968ff4 "|\215\226"
        cm = <value optimized out>
        c = <value optimized out>
        err = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        tmpdir_update_env = 47
        free_Editor = 0
        free_Tmpdir = 0
        help = 0
        short_options = "+46Qqrwtnvb:T:e:d:Hfz:s:xa"
        long_options = {{name = 0x80c4a17 "help", has_arg = 0, flag = 0x0, val = 72}, {name = 0x80c4a09 "version", has_arg = 0, flag = 0x0, val = 118}, {
            name = 0x80c4a1c "help-commands", has_arg = 0, flag = 0x0, val = 1}, {name = 0x80c4a2a "help-synonyms", has_arg = 0, flag = 0x0, val = 2}, {
            name = 0x80c4a38 "help-options", has_arg = 0, flag = 0x0, val = 4}, {name = 0x80c4a45 "allow-root", has_arg = 1, flag = 0x0, val = 3}, {name = 0x0, has_arg = 0, 
            flag = 0x0, val = 0}}
        option_index = 0
        __PRETTY_FUNCTION__ = "main"
Comment 4 Tomas Hoger 2012-02-06 13:58:12 UTC 

*** This bug has been marked as a duplicate of bug 784338 ***
Note You need to log in before you can comment on or make changes to this bug.