[26993] in Athena Bugs
linux 9.4.26+: jwgc/jwrite crashes
daemon@ATHENA.MIT.EDU (andrew m. boardman)
Fri Oct 27 14:50:25 2006
Date: Fri, 27 Oct 2006 14:50:01 -0400
Message-Id: <200610271850.k9RIo1ms021727@pothole.mit.edu>
From: "andrew m. boardman" <amb@mit.edu>
To: bugs@mit.edu
X-Spam-Score: -5.599
X-Spam-Flag: NO
Errors-To: bugs-bounces@mit.edu
I've noticed several problems with jwgc and jwrite crashing which appear
to be related to bad string handling in its XML parsing code; here are
some easy reproduction cases with stack traces.
For jwrite, certain arrangements of message strings reliably cause a
crash. My favorite example:
Starting program: /usr/athena/bin/jwrite amb@mit.edu
Type your message now. End with control-D or a dot on a line by itself.
It didn't crash this time!
.
Program received signal SIGSEGV, Segmentation fault.
0x0017232a in malloc_consolidate () from /lib/tls/libc.so.6
(gdb) where
#0 0x0017232a in malloc_consolidate () from /lib/tls/libc.so.6
#1 0x001732f3 in _int_malloc () from /lib/tls/libc.so.6
#2 0x001750b1 in malloc () from /lib/tls/libc.so.6
#3 0x0804e132 in XML_ParserCreate_MM (encodingName=0x0, memsuite=0x0, nameSep=0x0) at xmlparse.c:576
#4 0x0804e0a9 in XML_ParserCreate (encodingName=0x0) at xmlparse.c:535
#5 0x08049bed in jwg_start (jwg=0x9ff7db0) at JXMLComm.c:153
#6 0x08049934 in main (argc=2, argv=0xbff98b84) at jwrite.c:276
Jwgc, on the other hand, crashes on some status notifications. I've seen
this with status messages from several different remote clients. My
testing is with imcom (an ircII-lookalike tty-mode python jabber client
available from <http://dag.wieers.com/packages/imcom/>) being used with a
jabber.org principal. Once connected at both ends, with the MIT end
subscribed to the presence of the jabber.org end and getting presence
messages (which seem to not always work for reasons I'm not clear on, but
reconnecting from both ends can help), "/away" followed by "/online" from
the jabber.org end reliably crashes jwgc thus:
Starting program: /usr/athena/bin/jwgc -nofork
Program received signal SIGSEGV, Segmentation fault.
0x0056ff83 in strlen () from /lib/tls/libc.so.6
(gdb) where
#0 0x0056ff83 in strlen () from /lib/tls/libc.so.6
#1 0x0056fcc5 in strdup () from /lib/tls/libc.so.6
#2 0x0806082b in unicode_to_str (in=0x0, out=0xbffee844) at JStr.c:322
#3 0x0805257f in decode_notice (notice=0x882b8f0) at notice.c:341
#4 0x0804e911 in process_presence (conn=0x8807ee8, packet=0x882b8f0) at jabber_handler.c:279
#5 0x0804e36c in jab_on_packet_handler (conn=0x8807ee8, packet=0x882b8f0) at jabber_handler.c:88
#6 0x08062f6a in endElement (userdata=0x8807ee8, name=0x88259c0 "presence") at jconn.c:779
#7 0x08069083 in doContent (parser=0x8823798, startTagLevel=0, enc=0x8088820, s=0x8091d36 "</presence>",
end=0x8091d41 "", nextPtr=0xbffeea20) at xmlparse.c:1723
#8 0x08068297 in contentProcessor (parser=0x8823798,
start=0x8091ca0 "<presence xmlns='jabber:client' type='available' to='amb@mit.edu/jwgc' from='amb@jabber.org/online'><show>online</show><status/><priority>6</priority></presence>", end=0x8091d41 "", endPtr=0xbffeea20) at xmlparse.c:1333
#9 0x08067c1b in XML_Parse (parser=0x8823798,
s=0x8091ca0 "<presence xmlns='jabber:client' type='available' to='amb@mit.edu/jwgc' from='amb@jabber.org/online'><show>online</show><status/><priority>6</priority></presence>", len=161, isFinal=0) at xmlparse.c:1105
#10 0x08062364 in jab_recv (j=0x8807ee8) at jconn.c:422
#11 0x08051651 in mux_loop () at mux.c:184
#12 0x080513d7 in main (argc=1, argv=0xbffeecd4) at main.c:608
