[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: crash opening Repository Browser for svn:// archives

From: Dave Huang <khym_at_azeotrope.org>
Date: Thu, 08 Sep 2011 01:14:27 -0500

> I have a reproducible crash when trying to open the repository browser,
> sparse - checkout selection, revision graph and probably other features.
>
> Reproduce:
> - "tortoiseproc /command:repobrowser /path:svn://somewhere"
> - enter your correct credentials
>
> It seems to only happen for svn:// repositories. (I don't know whether
> it also happens for non-authenticated).

I'm getting the same crash with:
Windows 7 SP1 x64
TortoiseSVN 1.6.99, Build 21919 - 64 Bit -dev, 2011/08/31 21:32:47
Subversion 1.7.0, -dev
apr 1.4.5
apr-utils 1.3.12
neon 0.29.6
OpenSSL 1.0.0d 8 Feb 2011
zlib 1.2.5

Child-SP RetAddr Call Site
00000000`0445f448 000007fe`edbbaa27 0x6a
00000000`0445f450 000007fe`f89ab49a libsasl!_sasl_log+0x627
[c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\common.c @ 1924]
00000000`0445f520 000007fe`edbb53c2
saslDIGESTMD5!digestmd5_client_mech_dispose+0x4a
[c:\projects\svn\tortoisesvn\ext\cyrus-sasl\plugins\digestmd5.c @ 4174]
00000000`0445f560 000007fe`edbb84aa libsasl!client_dispose+0x72
[c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\client.c @ 289]
00000000`0445f5a0 000007fe`f0a24e8d libsasl!sasl_dispose+0x5a
[c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\common.c @ 848]
00000000`0445f5e0 00000000`6c6c3eee
libsvn_tsvn!svn_ra_svn__sasl_init+0x4d (note: this is actually
sasl_dispose_cb)
00000000`0445f610 00000000`6c6c3ecf libapr_tsvn!apr_pool_destroy+0x6e
00000000`0445f640 00000000`6c6c3ecf libapr_tsvn!apr_pool_destroy+0x4f
00000000`0445f670 00000001`3fb625ce libapr_tsvn!apr_pool_destroy+0x4f
00000000`0445f6a0 00000001`3fc3ef04 TortoiseProc+0x725ce
00000000`0445f7c0 00000001`3fc96ca5 TortoiseProc+0x14ef04
00000000`0445f830 00000001`3fc97c20 TortoiseProc+0x1a6ca5
00000000`0445f860 00000001`3fc98f4d TortoiseProc+0x1a7c20
00000000`0445f8a0 00000000`6a871bc7 TortoiseProc+0x1a8f4d
00000000`0445f8d0 00000000`6a871c55 MSVCR100!endthread+0x53
00000000`0445f900 00000000`773e652d MSVCR100!endthread+0xe1
00000000`0445f930 00000000`77adc521 kernel32!BaseThreadInitThunk+0xd
00000000`0445f960 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

The crash is coming from libsasl's common.c line 1924, where it's trying
to call through the log_cb function pointer. However, log_cb is 0xfa (or
some other value that's definitely not the address of a function).
log_cb is set by the call to _sasl_getcallback() earlier (line 1788),
and it turns out the problem is that conn->callbacks points to corrupted
memory, and _sasl_getcallback() happens to find the right bytes to make
it think that it's found a log callback function.

Subversion's libsvn_ra_svn\cyrus_auth.c svn_ra_svn__do_cyrus_auth()
(line 732) looks fishy to me, although I certainly haven't looked into
it in detail... The callbacks[] array, which is passed ot
new_sasl_ctx(), then to libsasl's sasl_client_new(), is a
local/automatic variable, and it goes out of scope and the memory is
available for reuse after the function exits. However, new_sasl_ctx()
adds the sasl_ctx to a pool and registers a cleanup function for it.
When the pool is destroyed, libsasl wants to use that callbacks[] array
during the cleanup, but that memory's already filled with other stuff.
Shouldn't callbacks[] be allocated on the heap somehow, rather than on
the stack?
Received on 2011-09-08 08:15:53 CEST

This is an archived mail posted to the Subversion Dev mailing list.