View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001369SOGoSOPEpublic2011-07-12 15:522011-07-18 14:18
Reporterbuzzdee Assigned Tofrancis  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Product Version1.3.7a 
Fixed in Version1.3.8a 
Summary0001369: crash in the webinterface, just when the webinterface is idle
Description

The crash happens on OpenBSD i386 using SOPE/SOGo 1.3.7a.

It easily materializes, when running sogo in gdb with the following parameters:

gdb /usr/local/sbin/sogod
r -WOUseWatchDog NO -WONoDetach YES -WOLogFile -

It just needs one client connected to the web interface, idling around in a mail folder.

When using the watchdog, the bug is not that obvious, since it will restart another instance and its going on...

The crasher always produces a backtrace like this:

#0 0x0525f4a8 in NGDecodeUrlFormParameters (
_buffer=0x89290fe0 "sort=date&asc=false&no_headers=1" <Address 0x89291000 out of bounds>, _len=32) at NGUrlFormCoder.m:157
157 if (_buffer[pos] == '&' || _buffer[pos] == '?') pos++;
(gdb) bt
#0 0x0525f4a8 in NGDecodeUrlFormParameters (
_buffer=0x89290fe0 "sort=date&asc=false&no_headers=1" <Address 0x89291000 out of bounds>, _len=32) at NGUrlFormCoder.m:157
0000001 0x0525aa02 in -[NGFormUrlBodyParser parseBodyOfPart:data:delegate:] (self=0x84e669b8, _cmd=0x213c94a8, _part=0x84635288,
_data=0x86cb4848, _d=0x7c6c0f88) at NGHttpBodyParser.m:49
0000002 0x013e909c in -[NGMimePartParser parseBodyOfPart:] (self=0x7e558a88, _cmd=0x251e78a8, _part=0x84635288)
at NGMimePartParser.m:1147
0000003 0x0525ceec in -[NGHttpMessageParser parseBodyOfPart:] (self=0x7e558a88, _cmd=0x213c9500, _part=0x84635288)
at NGHttpMessageParser.m:604
0000004 0x013e9b6c in -[NGMimePartParser parsePart] (self=0x7e558a88, _cmd=0x213c9520) at NGMimePartParser.m:1252
0000005 0x013e8ce3 in -[NGMimePartParser parsePartFromStream:] (self=0x7e558a88, _cmd=0x251e78e8, _stream=0x86e582c8)
at NGMimePartParser.m:1269
0000006 0x0525c914 in -[NGHttpMessageParser parseRequestFromStream:] (self=0x7e558a88, _cmd=0x25219460, _stream=0x86e582c8)
at NGHttpMessageParser.m:697
0000007 0x052b5c9c in -[WOHttpTransaction parseRequestFromStream:] (self=0x7c6c0f88, _cmd=0x25219310, _in=0x86e582c8)
at WOHttpTransaction.m:623
0000008 0x052b3f94 in -[WOHttpTransaction _readRequest] (self=0x7c6c0f88, _cmd=0x25219428) at WOHttpTransaction.m:365
0000009 0x052b2e7d in -[WOHttpTransaction _run] (self=0x7c6c0f88, _cmd=0x25219448) at WOHttpTransaction.m:540
0000010 0x052b5de5 in -[WOHttpTransaction run] (self=0x7c6c0f88, _cmd=0x25218788) at WOHttpTransaction.m:599
0000011 0x052afa7f in -[WOHttpAdaptor runConnection:] (self=0x82dc2748, _cmd=0x252187d8, _socket=0x81f7b588) at WOHttpAdaptor.m:384
0000012 0x052b1588 in -[WOHttpAdaptor _handleAcceptedConnection:] (self=0x82dc2748, _cmd=0x252187e0, _connection=0x81f7b588)
at WOHttpAdaptor.m:418
0000013 0x052b11b4 in -[WOHttpAdaptor _handleConnection:] (self=0x82dc2748, _cmd=0x25218838, connection=0x81f7b588)
at WOHttpAdaptor.m:477
0000014 0x052b1711 in -[WOHttpAdaptor acceptConnection:] (self=0x82dc2748, _cmd=0x25218768, _notification=0x7dfb43e8)
at WOHttpAdaptor.m:538
0000015 0x08f9d9de in NSLog () from /usr/local/lib/libgnustep-base.so.4.0
0000016 0x08f9cc08 in NSLog () from /usr/local/lib/libgnustep-base.so.4.0
0000017 0x08f9ca7e in NSLog () from /usr/local/lib/libgnustep-base.so.4.0
0000018 0x0bfba301 in -[NSObject(FileObjectWatcher) receivedEvent:type:extra:forMode:] (self=0x82dc2708, _cmd=0x28f8d8b0, _fdData=0x7,
_type=ET_RDESC, _extra=0x7, _mode=0x28f49d20) at NSRunLoop+FileObjects.m:57
0000019 0x090c06a6 in GSFromUnicode () from /usr/local/lib/libgnustep-base.so.4.0
0000020 0x08ff3d22 in NSRegularExpressionOptionsToURegexpFlags () from /usr/local/lib/libgnustep-base.so.4.0
0000021 0x08ff1e43 in NSRegularExpressionOptionsToURegexpFlags () from /usr/local/lib/libgnustep-base.so.4.0
0000022 0x052096df in -[WOCoreApplication run] (self=0x809dc308, _cmd=0x3c002788) at WOCoreApplication.m:576
0000023 0x1c002457 in gnustep_base_user_main ()
0000024 0x05233854 in WOApplicationMain (_appClassName=0x3c0018ac, argc=4, argv=0xcfbd6adc) at WOApplicationMain.m:42
0000025 0x0525498b in WOWatchDogApplicationMain (appName=0x3c0018ac, argc=4, argv=0xcfbd6adc) at WOWatchDogApplicationMain.m:1034
0000026 0x1c0016af in gnustep_base_user_main ()
0000027 0x08fe115e in main () from /usr/local/lib/libgnustep-base.so.4.0
0000028 0x00000004 in ?? ()
0000029 0xcfbd6adc in ?? ()
0000030 0xcfbd6af0 in ?? ()
0000031 0xcfbd0033 in ?? ()
0000032 0x1c000033 in ?? ()
0000033 0x00000004 in ?? ()
0000034 0xcfbd6aa0 in ?? ()
0000035 0x3c004cc0 in ?? ()
0000036 0x3c005ebf in prognamestorage ()
0000037 0x3c005dc0 in environ ()
0000038 0xcfbd6ab8 in ?? ()
0000039 0x1c0013c7 in start ()
0000040 0x1c0013c7 in ___start ()
0000041 0x1c001347 in _start ()
0000042 0x00000000 in ?? ()

I examined it more, but I can't scroll back right now, however, the _buffer is 32 bytes long (0..31) but pos is 32, so its trying to access the string past the buffer. I added a check to check whether post < _len in the if statement.
See attached patch.

Additional Information

Please could you review this patch, and if possible add it to 1.3.8? Taking a look at the roadmap overview, it seems 1.3.8 is not far in the future ;)

TagsNo tags attached.

Activities

2011-07-12 15:52

 

patch-sope-appserver_NGObjWeb_NGHttp_NGUrlFormCoder_m (544 bytes)    
$OpenBSD$

hope to fix crasher

--- sope-appserver/NGObjWeb/NGHttp/NGUrlFormCoder.m.orig	Tue Nov  2 15:12:13 2010
+++ sope-appserver/NGObjWeb/NGHttp/NGUrlFormCoder.m	Tue Jul 12 17:35:48 2011
@@ -154,7 +154,7 @@ NGHashMap *NGDecodeUrlFormParameters(const unsigned ch
       value = len > 0 ? urlStringFromBuffer(buffer, len) : (NSString *)@"";
       
       // skip '&'
-      if (_buffer[pos] == '&' || _buffer[pos] == '?') pos++;
+      if (pos < _len && _buffer[pos] == '&' || _buffer[pos] == '?') pos++;
     }
     
     if (value == nil)
patch-sope-appserver_NGObjWeb_NGHttp_NGUrlFormCoder_m (544 bytes)   
buzzdee

buzzdee

2011-07-17 14:11

reporter   ~0002716

I added some NSLogs to the NGDecodeUrlFormParameters function, the output can look like this:

2011-07-17 15:48:35.144 sogod[4217] NGDecodeUrlFormParameters initial: _buffer: sort=date&asc=false&no_headers=1LH
È8:ȶ¢};
=:È{Be; }, _len: 32
2011-07-17 15:48:35.144 sogod[4217] NGDecodeUrlFormParameters: len: 4, pos: 4
2011-07-17 15:48:35.144 sogod[4217] key: sort
2011-07-17 15:48:35.144 sogod[4217] NGDecodeUrlFormParameters: len: 4, pos: 9
2011-07-17 15:48:35.145 sogod[4217] value: date
2011-07-17 15:48:35.145 sogod[4217] NGDecodeUrlFormParameters: len: 3, pos: 13
2011-07-17 15:48:35.145 sogod[4217] key: asc
2011-07-17 15:48:35.145 sogod[4217] NGDecodeUrlFormParameters: len: 5, pos: 19
2011-07-17 15:48:35.145 sogod[4217] value: false
2011-07-17 15:48:35.145 sogod[4217] NGDecodeUrlFormParameters: len: 10, pos: 30
2011-07-17 15:48:35.145 sogod[4217] key: no_headers
2011-07-17 15:48:35.145 sogod[4217] NGDecodeUrlFormParameters: len: 1, pos: 32
2011-07-17 15:48:35.145 sogod[4217] value: 1

When skipping the & and ?, there pos is one larger than the length of the buffer. So when it accesses _buffer[pos], it accesses the byte in memory after the buffer.
With the first patch, I had still one crasher, but with the new patch, I haven't ran into any trouble since a couple of days.

2011-07-17 14:13

 

patch-sope-appserver_NGObjWeb_NGHttp_NGUrlFormCoder_m-new (548 bytes)    
$OpenBSD$

hope to fix crasher

--- sope-appserver/NGObjWeb/NGHttp/NGUrlFormCoder.m.orig	Tue Nov  2 15:12:13 2010
+++ sope-appserver/NGObjWeb/NGHttp/NGUrlFormCoder.m	Tue Jul 12 17:35:48 2011
@@ -154,7 +154,7 @@ NGHashMap *NGDecodeUrlFormParameters(const unsigned ch
       value = len > 0 ? urlStringFromBuffer(buffer, len) : (NSString *)@"";
       
       // skip '&'
-      if (_buffer[pos] == '&' || _buffer[pos] == '?') pos++;
+      if ((pos < _len) && (_buffer[pos] == '&' || _buffer[pos] == '?')) pos++;
     }
     
     if (value == nil)
patch-sope-appserver_NGObjWeb_NGHttp_NGUrlFormCoder_m-new (548 bytes)   
francis

francis

2011-07-18 14:18

administrator   ~0002720

Fixed in revision e83ede65860f4b5861aecfd393b724488b35f524.

Issue History

Date Modified Username Field Change
2011-07-12 15:52 buzzdee New Issue
2011-07-12 15:52 buzzdee File Added: patch-sope-appserver_NGObjWeb_NGHttp_NGUrlFormCoder_m
2011-07-17 14:11 buzzdee Note Added: 0002716
2011-07-17 14:13 buzzdee File Added: patch-sope-appserver_NGObjWeb_NGHttp_NGUrlFormCoder_m-new
2011-07-18 14:18 francis Note Added: 0002720
2011-07-18 14:18 francis Status new => resolved
2011-07-18 14:18 francis Fixed in Version => 1.3.8a
2011-07-18 14:18 francis Resolution open => fixed
2011-07-18 14:18 francis Assigned To => francis