[294] in bug-owl

home help back first fref pref prev next nref lref last post

Re: segfailt in aim_bstream_send

daemon@ATHENA.MIT.EDU (Erik Nygren)
Sun Nov 23 21:17:01 2003

To: Erik Nygren <nygren@mit.edu>
cc: bug-owl@mit.edu, jtu@mit.edu
In-reply-to: Your message of "Sun, 23 Nov 2003 18:18:21 EST."
             <E1AO3Uj-0001Rl-00@galaxia.bay13.org> 
Date: Sun, 23 Nov 2003 21:15:15 -0500
From: Erik Nygren <nygren@MIT.EDU>
Message-Id: <E1AO6Fv-0002xc-00@galaxia.bay13.org>


I think this partially because aim_bstream_send doesn't deal with the
case of aim_send returning -1, which I'm guessing is because conn->fd is 0.
However, that doesn't explain why conn is getting zeroed 
out in the first place.  I checked in a fix which will at least return
an error when aim_send returns -1.

(I also found an unrelated bug that was causing the password to be
printed on login failures...  ;)

   Erik


Erik Nygren <nygren@MIT.EDU> wrote:

> 
> (gdb) where
> #0  0x08198185 in aim_bstream_send (bs=0xbfffd7a0, conn=0x0, count=110) at txqueue.c:247
> #1  0x08198380 in sendframe_flap (sess=0x81e4698, fr=0x8298050) at txqueue.c:290
> #2  0x08198534 in aim_tx_flushqueue (sess=0x81e4698) at txqueue.c:371
> #3  0x0818aae6 in aim_conn_completeconnect (sess=0x81e4698, conn=0x879e7e0) at conn.c:1017
> #4  0x0808c61b in owl_aim_process_events () at aim.c:322
> #5  0x08070909 in main (argc=136201196, argv=0xffffffff, env=0xbfffeabc) at owl.c:385
> #6  0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6
> 
> Strangely, conn is not 0x0 in the caller:
> 
> (gdb) print fr->conn
> $23 = (aim_conn_t *) 0x81e4914
> (gdb) print *fr->conn
> $24 = {fd = 0, type = 0, subtype = 0, seqnum = 6, status = 0, priv = 0x0, internal = 0x0, lastactivity = 0, forcedlatency = 0, handlerlist = 0x0, sessv = 0x0, 
>   inside = 0x0, next = 0x0}
> 
> But that doesn't look like a valid connection at all...
> 
> Also, aim_bstream_send does check whether conn is null (and the
> dereference of the null conn caused the segfault).  This means that
> something called between the check and the conn dereference somehow
> corrupted the heap and/or stack, or had a side-effect?
> 
> 	  Erik
> 

home help back first fref pref prev next nref lref last post