Re: NULL-pointer access in RC5

From: Lieven Govaerts <svnlgo_at_mobsol.be>
Date: Fri, 06 Jun 2008 00:08:18 +0200

Stefan Küng wrote:
> Hi,
>
> (sorry for the html mail, but I want to keep the stacktrace below
> formatted correctly)
>
> Crash report sent for TortoiseSVN, but problem is in the svn library.
> I've checked the STATUS file for changes that might have something to
> do with this but couldn't find anything:
>
> in the function svn_auth_next_credentials() file
> subversion\libsvn_subr\auth.c, the line
> provider_set_t *table = state->table;
> accesses a NULL pointer since 'state' was NULL (in the crash dump I
> received).
>
> Here's the stacktrace:
> TortoiseProc.exe!svn_auth_next_credentials(void * *
> credentials=0x04fefa8c, svn_auth_iterstate_t * state=0x00000000,
> apr_pool_t * pool=0x0228ea60) Line 243 C
> TortoiseProc.exe!handle_basic_auth(svn_ra_serf__session_t *
> session=0x01258fd0, svn_ra_serf__connection_t * conn=0x02284e58,
> serf_request_t * request=0x02276a28, serf_bucket_t *
> response=0x02291270, char * auth_hdr=0x02290cf0, char *
> auth_attr=0x02290cf5, apr_pool_t * pool=0x0228ea60) Line 303 + 0x14
> bytes C
> TortoiseProc.exe!svn_ra_serf__handle_auth(int code=401,
> svn_ra_serf__session_t * session=0x01258fd0, svn_ra_serf__connection_t
> * conn=0x02284e58, serf_request_t * request=0x02276a28, serf_bucket_t
> * response=0x02291270, apr_pool_t * pool=0x022a9e58) Line 197 + 0x1b
> bytes C
> > TortoiseProc.exe!handle_response(serf_request_t *
> request=0x02276a28, serf_bucket_t * response=0x02291270, void *
> baton=0x01259118, apr_pool_t * pool=0x022a9e58) Line 1199 + 0x19
> bytes C
> TortoiseProc.exe!read_from_connection(serf_connection_t *
> conn=0x00000000) Line 750 + 0x13 bytes C
> TortoiseProc.exe!process_connection(serf_connection_t *
> conn=0x00000000, short events=1) Line 852 + 0x7 bytes C
> TortoiseProc.exe!serf_context_run(serf_context_t * ctx=0x0228eb30,
> int duration=2000000000, apr_pool_t * pool=0x011ec568) Line 966 +
> 0x15 bytes C
> TortoiseProc.exe!svn_ra_serf__context_run_wait(int *
> done=0x04fefb98, svn_ra_serf__session_t * sess=0x01258fd0, apr_pool_t
> * pool=0x011ec568) Line 540 + 0xf bytes C
> TortoiseProc.exe!exchange_capabilities(svn_ra_serf__session_t *
> serf_sess=0x00000000, apr_pool_t * pool=0x00000000) Line 196 C
> TortoiseProc.exe!svn_ra_serf__open(svn_ra_session_t *
> session=0x01258fc0, const char * repos_URL=0x01258df8, const
> svn_ra_callbacks2_t * callbacks=0x01258f08, void *
> callback_baton=0x01258f30, apr_hash_t * config=0x011eaf60, apr_pool_t
> * pool=0x011ec568) Line 599 + 0x16 bytes C
> TortoiseProc.exe!svn_ra_open3(svn_ra_session_t * *
> session_p=0x04fefcc4, const char * repos_URL=0x01258df8, const char *
> uuid=0x02275d50, const svn_ra_callbacks2_t * callbacks=0x01258f08,
> void * callback_baton=0x01258f30, apr_hash_t * config=0x011eaf60,
> apr_pool_t * pool=0x011ec568) Line 472 + 0x32 bytes C
>
> TortoiseProc.exe!svn_client__open_ra_session_internal(svn_ra_session_t
> * * ra_session=0x04fefcc4, const char * base_url=0x01258df8, const
> char * base_dir=0x02275b58, svn_wc_adm_access_t *
> base_access=0x02275a80, apr_array_header_t * commit_items=0x00000000,
> int use_admin=0, int read_only_wc=0, svn_client_ctx_t *
> ctx=0x011ea598, apr_pool_t * pool=0x02275d50) Line 325 + 0x1b bytes C
> TortoiseProc.exe!svn_client_lock(const apr_array_header_t *
> targets=0x011ec5d8, const char * comment=0x01266188, int steal_lock=0,
> svn_client_ctx_t * ctx=0x011ea598, apr_pool_t * pool=0x011ec568) Line
> 418 + 0x32 bytes C
>
> In handle_response(), the session->auth_state is set to NULL due to
> last status code being 401. But that auth_state is never set in the
> following function calls which leads then to the NULL pointer access.

I've looked at the code and the only possible situation I can think of
that can lead to this stacktrace is when in handle_basic_auth,
svn_auth_first_credentials returns an error. If that happens,
session->realm will be set, but the auth_state will be (most likely)
NULL.That's okay if that error is raised to the user, but I've noticed
we just ignore it in svn_ra_serf__handle_auth.

Now I don't know how to reproduce this yet, but I have found that if I
keep supplying wrong credentials on the command line, after 3 times svn
will hang using 100% cpu. I have a fix for that in my trunk working
copy, which also fixes the ignored error problem. As soon as I get my
NTLM+Basic setup working again I'll test and commit.

I suppose you don't have the possibility to check if that fix will solve
this issue?

Thanks for the crash report! Why does it not include the source file
names? Also, it would be useful if const char *'s could be printed as
their string value.

Lieven

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-06 00:08:42 CEST

This message: [ Message body ]
Next message: Karl Fogel: "Re: CONTRIB: CGI script for self-administering passwords in svnserve passwd files"
Previous message: Karl Fogel: "Re: "svn cleanup" doesn't; advice needed"
In reply to: Stefan Küng: "NULL-pointer access in RC5"
Next in thread: Stefan Küng: "Re: NULL-pointer access in RC5"
Reply: Stefan Küng: "Re: NULL-pointer access in RC5"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]