[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: crash opening Repository Browser for svn:// archives

From: Stefan Sperling <stsp_at_elego.de>
Date: Thu, 8 Sep 2011 09:22:56 +0200

On Thu, Sep 08, 2011 at 01:14:27AM -0500, Dave Huang wrote:
> >I have a reproducible crash when trying to open the repository browser,
> >sparse - checkout selection, revision graph and probably other features.
> >
> >Reproduce:
> >- "tortoiseproc /command:repobrowser /path:svn://somewhere"
> >- enter your correct credentials
> >
> >It seems to only happen for svn:// repositories. (I don't know whether
> >it also happens for non-authenticated).
>
> I'm getting the same crash with:
> Windows 7 SP1 x64
> TortoiseSVN 1.6.99, Build 21919 - 64 Bit -dev, 2011/08/31 21:32:47
> Subversion 1.7.0, -dev
> apr 1.4.5
> apr-utils 1.3.12
> neon 0.29.6
> OpenSSL 1.0.0d 8 Feb 2011
> zlib 1.2.5
>
> Child-SP RetAddr Call Site
> 00000000`0445f448 000007fe`edbbaa27 0x6a
> 00000000`0445f450 000007fe`f89ab49a libsasl!_sasl_log+0x627
> [c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\common.c @ 1924]
> 00000000`0445f520 000007fe`edbb53c2
> saslDIGESTMD5!digestmd5_client_mech_dispose+0x4a
> [c:\projects\svn\tortoisesvn\ext\cyrus-sasl\plugins\digestmd5.c @
> 4174]
> 00000000`0445f560 000007fe`edbb84aa libsasl!client_dispose+0x72
> [c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\client.c @ 289]
> 00000000`0445f5a0 000007fe`f0a24e8d libsasl!sasl_dispose+0x5a
> [c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\common.c @ 848]
> 00000000`0445f5e0 00000000`6c6c3eee
> libsvn_tsvn!svn_ra_svn__sasl_init+0x4d (note: this is actually
> sasl_dispose_cb)
> 00000000`0445f610 00000000`6c6c3ecf libapr_tsvn!apr_pool_destroy+0x6e
> 00000000`0445f640 00000000`6c6c3ecf libapr_tsvn!apr_pool_destroy+0x4f
> 00000000`0445f670 00000001`3fb625ce libapr_tsvn!apr_pool_destroy+0x4f
> 00000000`0445f6a0 00000001`3fc3ef04 TortoiseProc+0x725ce
> 00000000`0445f7c0 00000001`3fc96ca5 TortoiseProc+0x14ef04
> 00000000`0445f830 00000001`3fc97c20 TortoiseProc+0x1a6ca5
> 00000000`0445f860 00000001`3fc98f4d TortoiseProc+0x1a7c20
> 00000000`0445f8a0 00000000`6a871bc7 TortoiseProc+0x1a8f4d
> 00000000`0445f8d0 00000000`6a871c55 MSVCR100!endthread+0x53
> 00000000`0445f900 00000000`773e652d MSVCR100!endthread+0xe1
> 00000000`0445f930 00000000`77adc521 kernel32!BaseThreadInitThunk+0xd
> 00000000`0445f960 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
>
> The crash is coming from libsasl's common.c line 1924, where it's
> trying to call through the log_cb function pointer. However, log_cb
> is 0xfa (or some other value that's definitely not the address of a
> function). log_cb is set by the call to _sasl_getcallback() earlier
> (line 1788), and it turns out the problem is that conn->callbacks
> points to corrupted memory, and _sasl_getcallback() happens to find
> the right bytes to make it think that it's found a log callback
> function.
>
> Subversion's libsvn_ra_svn\cyrus_auth.c svn_ra_svn__do_cyrus_auth()
> (line 732) looks fishy to me, although I certainly haven't looked
> into it in detail... The callbacks[] array, which is passed ot
> new_sasl_ctx(), then to libsasl's sasl_client_new(), is a
> local/automatic variable, and it goes out of scope and the memory is
> available for reuse after the function exits. However,
> new_sasl_ctx() adds the sasl_ctx to a pool and registers a cleanup
> function for it. When the pool is destroyed, libsasl wants to use
> that callbacks[] array during the cleanup, but that memory's already
> filled with other stuff. Shouldn't callbacks[] be allocated on the
> heap somehow, rather than on the stack?

Can you try this patch?
It ties the callbacks to the pool which the sasl context lives in.

Index: subversion/libsvn_ra_svn/cyrus_auth.c
===================================================================
--- subversion/libsvn_ra_svn/cyrus_auth.c (revision 1166543)
+++ subversion/libsvn_ra_svn/cyrus_auth.c (working copy)
@@ -738,9 +738,7 @@ svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_bato
   const char *mechstring = "", *last_err = "", *realmstring;
   const char *local_addrport = NULL, *remote_addrport = NULL;
   svn_boolean_t success;
- /* Reserve space for 3 callbacks (for the username, password and the
- array terminator). */
- sasl_callback_t callbacks[3];
+ sasl_callback_t *callbacks;
   cred_baton_t cred_baton;
   int i;
 
@@ -776,6 +774,10 @@ svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_bato
   cred_baton.realmstring = realmstring;
   cred_baton.pool = pool;
 
+ /* Reserve space for 3 callbacks (for the username, password and the
+ array terminator). */
+ callbacks = apr_palloc(sess->conn->pool, sizeof(*callbacks) * 3);
+
   /* Initialize the callbacks array. */
 
   /* The username callback. */
Received on 2011-09-08 09:24:07 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.