[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Another crash in ra_serf in 1.8.0

From: Ivan Zhakov <ivan_at_visualsvn.com>
Date: Fri, 21 Jun 2013 01:01:05 +0400

On Fri, Jun 21, 2013 at 12:30 AM, Greg Stein <gstein_at_gmail.com> wrote:
> On Thu, Jun 20, 2013 at 2:19 PM, Stefan Küng <tortoisesvn_at_gmail.com> wrote:
>> Hi,
>>
>> Another crash that's climbing up in the crash report statistics for TSVN.
>> Seems to be related to the previously discussed problem with checkouts in
>> TSVN.
>>
>> The stack trace:
>>
>> BowPad
>>
>> libsvn_tsvn.dll!svn_ra_serf__credentials_callback(char * *
>> username=0xffffffffffffffff, char * * password=0x0000000002ba0210,
>> serf_request_t * request=0x0000000002ba0280, void *
>> baton=0x0000000002c12588, int code=407, const char *
>> authn_type=0x000007fee0bf0b58, const char * realm=0x0000000002c12b60,
>> apr_pool_t * pool=0x0000000002bb8258) Line 1789 C
>
> The 407 code means a proxy authorization is needed.
>
> The problem in this stack frame is the username address. It clearly
> has a problematic value. It should only be about four bytes off from
> the password value.
>
The compiler may optimize the code and dump files doesn't have enough
information to find parameters values.

>> libsvn_tsvn.dll!serf__handle_basic_auth(int code=-524813808, serf_request_t
>> * request=0x0000000002ba8368, serf_bucket_t * response=0x0000000000000001,
>> const char * auth_hdr=0x0000000002bb30be, const char *
>> auth_attr=0x0000000002bb30be, void * baton=0x0000000002bac270, apr_pool_t *
>> pool=0x0000000002ba0198) Line 89 C
>
> The code parameter in this traceback is clearly incorrect. It should
> be 407, just like what got passed to the callback.
>
> Either these tracebacks are wonky, or there may be some stack smashing
> going on. Stefan?
>
>>...
>> The crash is in libsvn_ra_serf\util.c, Snippet
>> svn_ra_serf__credentials_callback, line 1789:
>> BowPad *username = apr_pstrdup(pool, session->proxy_username);
>> *password = apr_pstrdup(pool, session->proxy_password);
>
> Was session bad? Or was the proxy_username bad?
>
I've checked disassembly and it crashes on attempt to read
proxy_password from session. Because session pointer is zero, most
likely because 'handler' points to freed memory. 

-- 
Ivan Zhakov
CTO | VisualSVN | http://www.visualsvn.com
Received on 2013-06-20 23:01:57 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.