[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Segfault during "svn info"

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Sun, 16 Nov 2008 20:52:23 +0200 (Jerusalem Standard Time)

Stefan Sperling wrote on Sun, 16 Nov 2008 at 18:38 -0000:
> On Sun, Nov 16, 2008 at 08:10:26PM +0200, Daniel Shahaf wrote:
> > > > $ svn cleanup
> > > >
> > > > Program received signal SIGSEGV, Segmentation fault.
> > > > [Switching to Thread 47116375701120 (LWP 8732)]
> > > > 0x00002ada2100e056 in svn_uri_is_canonical (
> > > > uri=0x6653b0 "svn+ssh://svn@10.0.1.1")
> > > > at subversion/libsvn_subr/dirent_uri.c:1029
> > > > 1029 while (*ptr != '/')
> > >
> > > From reading the code, it looks like we are running over the end
> > > of that string into uninitialised memory.
> > >
> > > Jens, can you try this patch?
> > > And can someone other than Jens try this patch on windows?
> > >
> >
> > How to try this patch? Shall I just apply it and run dirent_uri-tests.exe?
>
> I'm not sure :)
> I'm just here to make sure we don't read past that string :P
>
> Jens described his setup earlier in this thread.
>
> What seems to trigger the bug seems to be that the string
> "svn+ssh://svn@10.0.1.1" does not end with a slash.
>

Here is what I tried. The output is the same with yesterday's unpatched
build and with patched HEAD build:

C:\>svn info svn+tau://jens@10.1.0.1@
/tmp/buildd/subversion-1.4.6dfsg1/subversion/svnserve/serve.c:2118: (apr_err=210005)
svn: No repository found in 'svn+tau://jens@10.1.0.1'

It doesn't assert. My temporary conclusion is that I don't know how to
reproduce Jens' errors.

Daniel

> In the following code snippet, ptr points to the following
> part of that string: "svn_at_10.0.1.1"
> The change I made to fix the crash is also shown:
>
> /* Found a hostname, check that it's all lowercase. */
> ptr = seg;
> - while (*ptr != '/')
> + while (*ptr && *ptr != '/')
> {
> if (*ptr >= 'A' && *ptr <= 'Z')
> return FALSE;
> ptr++
> }
>
> I've also checked whether remaining code in that function
> will be able to cope with ptr pointing to the terminating
> null, and it looks OK to me. Hence back to Jens and others
> for testing :)
>
> > (Should we add svn:// | file:// test cases to that file?)
>
> Regression tests are always a good idea. :)
>
> Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-11-16 19:52:37 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.