Bug 17116 - Non-null-terminated TpConnectionManager::protocols ?
Summary: Non-null-terminated TpConnectionManager::protocols ?
Status: RESOLVED INVALID
Alias: None
Product: Telepathy
Classification: Unclassified
Component: tp-glib (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Telepathy bugs list
QA Contact: Telepathy bugs list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-13 08:00 UTC by Murray Cumming
Modified: 2008-08-18 03:07 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
example.c (3.40 KB, text/x-csrc)
2008-08-13 08:00 UTC, Murray Cumming
Details
Fixed version of example.c (3.25 KB, text/x-csrc)
2008-08-18 02:30 UTC, Sjoerd Simons
Details

Description Murray Cumming 2008-08-13 08:00:22 UTC
Created attachment 18263 [details]
example.c

Maybe I've made a stupid error, but as far as I can tell the attached code is correct. But it seems to hit uninitialized memory when examining TpConnectionManager::protocols, as if the array has not really been NULL-terminated, at least for the "butterfly" connection manager.

Here is a valgrind backtrace:

$ valgrind --num-callers=30 ./example 
==1330== Memcheck, a memory error detector.
==1330== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==1330== Using LibVEX rev 1804, a library for dynamic binary translation.
==1330== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==1330== Using valgrind-3.3.0-Debian, a dynamic binary instrumentation framework.
==1330== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==1330== For more details, rerun with: -v
==1330== 
Found 6 connection managers:
  Connection Manager name: butterfly

(process:1330): GLib-GObject-CRITICAL **: g_object_get: assertion `G_IS_OBJECT (object)' failed
  Connection Manager name: (null)
==1330== Conditional jump or move depends on uninitialised value(s)
==1330==    at 0x80489DE: on_list_connection_managers (main.c:64)
==1330==    by 0x4078A66: tp_list_connection_managers_got_names (connection-manager.c:1332)
==1330==    by 0x407BD62: _tp_cli_dbus_daemon_invoke_callback_list_names (tp-cli-dbus-daemon-body.h:1818)
==1330==    by 0x40A134A: tp_proxy_pending_call_idle_invoke (proxy-methods.c:153)
==1330==    by 0x48CA1FC: g_idle_dispatch (gmain.c:4178)
==1330==    by 0x48C62C3: g_main_dispatch (gmain.c:2073)
==1330==    by 0x48C77A9: g_main_context_dispatch (gmain.c:2625)
==1330==    by 0x48C7CFD: g_main_context_iterate (gmain.c:2706)
==1330==    by 0x48C84D4: g_main_loop_run (gmain.c:2929)
==1330==    by 0x8048A7E: main (main.c:101)

(process:1330): GLib-GObject-CRITICAL **: g_object_get: assertion `G_IS_OBJECT (object)' failed
  Connection Manager name: (null)
==1330== 
==1330== Invalid read of size 1
==1330==    at 0x40239D8: strlen (mc_replace_strmem.c:242)
==1330==    by 0x49B140A: vfprintf (vfprintf.c:1560)
==1330==    by 0x49B23AF: vprintf (vprintf.c:31)
==1330==    by 0x4904AC4: g_vprintf (gprintf.c:186)
==1330==    by 0x49049D9: g_printf (gprintf.c:55)
==1330==    by 0x80489D5: on_list_connection_managers (main.c:73)
==1330==    by 0x4078A66: tp_list_connection_managers_got_names (connection-manager.c:1332)
==1330==    by 0x407BD62: _tp_cli_dbus_daemon_invoke_callback_list_names (tp-cli-dbus-daemon-body.h:1818)
==1330==    by 0x40A134A: tp_proxy_pending_call_idle_invoke (proxy-methods.c:153)
==1330==    by 0x48CA1FC: g_idle_dispatch (gmain.c:4178)
==1330==    by 0x48C62C3: g_main_dispatch (gmain.c:2073)
==1330==    by 0x48C77A9: g_main_context_dispatch (gmain.c:2625)
==1330==    by 0x48C7CFD: g_main_context_iterate (gmain.c:2706)
==1330==    by 0x48C84D4: g_main_loop_run (gmain.c:2929)
==1330==    by 0x8048A7E: main (main.c:101)
==1330==  Address 0x7273752f is not stack'd, malloc'd or (recently) free'd
==1330== 
==1330== Process terminating with default action of signal 11 (SIGSEGV)
==1330==  Access not within mapped region at address 0x7273752F
==1330==    at 0x40239D8: strlen (mc_replace_strmem.c:242)
==1330==    by 0x49B140A: vfprintf (vfprintf.c:1560)
==1330==    by 0x49B23AF: vprintf (vprintf.c:31)
==1330==    by 0x4904AC4: g_vprintf (gprintf.c:186)
==1330==    by 0x49049D9: g_printf (gprintf.c:55)
==1330==    by 0x80489D5: on_list_connection_managers (main.c:73)
==1330==    by 0x4078A66: tp_list_connection_managers_got_names (connection-manager.c:1332)
==1330==    by 0x407BD62: _tp_cli_dbus_daemon_invoke_callback_list_names (tp-cli-dbus-daemon-body.h:1818)
==1330==    by 0x40A134A: tp_proxy_pending_call_idle_invoke (proxy-methods.c:153)
==1330==    by 0x48CA1FC: g_idle_dispatch (gmain.c:4178)
==1330==    by 0x48C62C3: g_main_dispatch (gmain.c:2073)
==1330==    by 0x48C77A9: g_main_context_dispatch (gmain.c:2625)
==1330==    by 0x48C7CFD: g_main_context_iterate (gmain.c:2706)
==1330==    by 0x48C84D4: g_main_loop_run (gmain.c:2929)
==1330==    by 0x8048A7E: main (main.c:101)
    Protocol name: ==1330== 
==1330== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 95 from 1)
==1330== malloc/free: in use at exit: 55,383 bytes in 728 blocks.
==1330== malloc/free: 2,145 allocs, 1,417 frees, 355,791 bytes allocated.
==1330== For counts of detected errors, rerun with: -v
==1330== searching for pointers to 728 not-freed blocks.
==1330== checked 397,508 bytes.
==1330== 
==1330== LEAK SUMMARY:
==1330==    definitely lost: 156 bytes in 11 blocks.
==1330==      possibly lost: 7,120 bytes in 30 blocks.
==1330==    still reachable: 48,107 bytes in 687 blocks.
==1330==         suppressed: 0 bytes in 0 blocks.
==1330== Rerun with --leak-check=full to see details of leaked memory.
Segmentation fault
Comment 1 Sjoerd Simons 2008-08-18 02:30:04 UTC
Created attachment 18353 [details]
Fixed version of example.c

Your example was slightly wrong, which caused the crash. Attached a fixed version
Comment 2 Murray Cumming 2008-08-18 03:07:47 UTC
Yes, it was silly to test the pointer for NULL after doing ++ on it. Thanks for the help.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.