You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Stefan Küng <to...@gmail.com> on 2008/06/05 17:40:10 UTC
NULL-pointer access in RC5
Hi,
(sorry for the html mail, but I want to keep the stacktrace below
formatted correctly)
Crash report sent for TortoiseSVN, but problem is in the svn library.
I've checked the STATUS file for changes that might have something to do
with this but couldn't find anything:
in the function svn_auth_next_credentials() file
subversion\libsvn_subr\auth.c, the line
provider_set_t *table = state->table;
accesses a NULL pointer since 'state' was NULL (in the crash dump I
received).
Here's the stacktrace:
TortoiseProc.exe!svn_auth_next_credentials(void * *
credentials=0x04fefa8c, svn_auth_iterstate_t * state=0x00000000,
apr_pool_t * pool=0x0228ea60) Line 243 C
TortoiseProc.exe!handle_basic_auth(svn_ra_serf__session_t *
session=0x01258fd0, svn_ra_serf__connection_t * conn=0x02284e58,
serf_request_t * request=0x02276a28, serf_bucket_t *
response=0x02291270, char * auth_hdr=0x02290cf0, char *
auth_attr=0x02290cf5, apr_pool_t * pool=0x0228ea60) Line 303 + 0x14
bytes C
TortoiseProc.exe!svn_ra_serf__handle_auth(int code=401,
svn_ra_serf__session_t * session=0x01258fd0, svn_ra_serf__connection_t *
conn=0x02284e58, serf_request_t * request=0x02276a28, serf_bucket_t *
response=0x02291270, apr_pool_t * pool=0x022a9e58) Line 197 + 0x1b
bytes C
> TortoiseProc.exe!handle_response(serf_request_t *
request=0x02276a28, serf_bucket_t * response=0x02291270, void *
baton=0x01259118, apr_pool_t * pool=0x022a9e58) Line 1199 + 0x19 bytes C
TortoiseProc.exe!read_from_connection(serf_connection_t *
conn=0x00000000) Line 750 + 0x13 bytes C
TortoiseProc.exe!process_connection(serf_connection_t *
conn=0x00000000, short events=1) Line 852 + 0x7 bytes C
TortoiseProc.exe!serf_context_run(serf_context_t * ctx=0x0228eb30,
int duration=2000000000, apr_pool_t * pool=0x011ec568) Line 966 + 0x15
bytes C
TortoiseProc.exe!svn_ra_serf__context_run_wait(int *
done=0x04fefb98, svn_ra_serf__session_t * sess=0x01258fd0, apr_pool_t *
pool=0x011ec568) Line 540 + 0xf bytes C
TortoiseProc.exe!exchange_capabilities(svn_ra_serf__session_t *
serf_sess=0x00000000, apr_pool_t * pool=0x00000000) Line 196 C
TortoiseProc.exe!svn_ra_serf__open(svn_ra_session_t *
session=0x01258fc0, const char * repos_URL=0x01258df8, const
svn_ra_callbacks2_t * callbacks=0x01258f08, void *
callback_baton=0x01258f30, apr_hash_t * config=0x011eaf60, apr_pool_t *
pool=0x011ec568) Line 599 + 0x16 bytes C
TortoiseProc.exe!svn_ra_open3(svn_ra_session_t * *
session_p=0x04fefcc4, const char * repos_URL=0x01258df8, const char *
uuid=0x02275d50, const svn_ra_callbacks2_t * callbacks=0x01258f08, void
* callback_baton=0x01258f30, apr_hash_t * config=0x011eaf60, apr_pool_t
* pool=0x011ec568) Line 472 + 0x32 bytes C
TortoiseProc.exe!svn_client__open_ra_session_internal(svn_ra_session_t *
* ra_session=0x04fefcc4, const char * base_url=0x01258df8, const char *
base_dir=0x02275b58, svn_wc_adm_access_t * base_access=0x02275a80,
apr_array_header_t * commit_items=0x00000000, int use_admin=0, int
read_only_wc=0, svn_client_ctx_t * ctx=0x011ea598, apr_pool_t *
pool=0x02275d50) Line 325 + 0x1b bytes C
TortoiseProc.exe!svn_client_lock(const apr_array_header_t *
targets=0x011ec5d8, const char * comment=0x01266188, int steal_lock=0,
svn_client_ctx_t * ctx=0x011ea598, apr_pool_t * pool=0x011ec568) Line
418 + 0x32 bytes C
In handle_response(), the session->auth_state is set to NULL due to last
status code being 401. But that auth_state is never set in the following
function calls which leads then to the NULL pointer access.
btw: will there be another serf release before Subversion releases 1.5.0?
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
Re: NULL-pointer access in RC5
Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
On Thu, Jun 5, 2008 at 10:40 AM, Stefan Küng <to...@gmail.com> wrote:
> btw: will there be another serf release before Subversion releases 1.5.0?
Lieven's said everything is a go in his tests, so I'm planning to do a
serf release over the weekend. -- justin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: NULL-pointer access in RC5
Posted by Lieven Govaerts <sv...@mobsol.be>.
Stefan Küng wrote:
> Stefan Küng wrote:
>> Lieven Govaerts wrote:
>>
>>> I've looked at the code and the only possible situation I can think
>>> of that can lead to this stacktrace is when in handle_basic_auth,
>>> svn_auth_first_credentials returns an error. If that happens,
>>> session->realm will be set, but the auth_state will be (most likely)
>>> NULL.That's okay if that error is raised to the user, but I've
>>> noticed we just ignore it in svn_ra_serf__handle_auth.
>>
>> Seems correct. I don't have much information about the crash report
>> (I only have the crash dump file, no additional information).
>>
>>> Now I don't know how to reproduce this yet, but I have found that if
>>> I keep supplying wrong credentials on the command line, after 3
>>> times svn will hang using 100% cpu. I have a fix for that in my
>>> trunk working copy, which also fixes the ignored error problem. As
>>> soon as I get my NTLM+Basic setup working again I'll test and commit.
>>>
>>> I suppose you don't have the possibility to check if that fix will
>>> solve this issue?
>>
>> I'll try contacting the person which sent the crash dump and see if I
>> can send him/her an updated version of TSVN to test. But usually the
>> people who sent the reports don't answer mails asking for more
>> information.
>
> Some more information:
> The user tried to get a lock on a file, but then cancelled when asked
> for authentication.
> TSVN sets the
> svn_auth_cred_username_t **cred
> param of the userprompt callback to
> *cred = NULL
>
> Maybe that helps?
Yes it does. If you set creds to NULL, svn_auth_first_credentials will
set auth_state to NULL. This causes the crash on the next request.
There's no error involved as I thought earlier.
I've committed a fix for trunk in r31619 and will propose it for
backporting to 1.5.1.
Lieven
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: NULL-pointer access in RC5
Posted by Stefan Küng <to...@gmail.com>.
Stefan Küng wrote:
> Lieven Govaerts wrote:
>
>> I've looked at the code and the only possible situation I can think of
>> that can lead to this stacktrace is when in handle_basic_auth,
>> svn_auth_first_credentials returns an error. If that happens,
>> session->realm will be set, but the auth_state will be (most likely)
>> NULL.That's okay if that error is raised to the user, but I've noticed
>> we just ignore it in svn_ra_serf__handle_auth.
>
> Seems correct. I don't have much information about the crash report (I
> only have the crash dump file, no additional information).
>
>> Now I don't know how to reproduce this yet, but I have found that if I
>> keep supplying wrong credentials on the command line, after 3 times
>> svn will hang using 100% cpu. I have a fix for that in my trunk
>> working copy, which also fixes the ignored error problem. As soon as I
>> get my NTLM+Basic setup working again I'll test and commit.
>>
>> I suppose you don't have the possibility to check if that fix will
>> solve this issue?
>
> I'll try contacting the person which sent the crash dump and see if I
> can send him/her an updated version of TSVN to test. But usually the
> people who sent the reports don't answer mails asking for more information.
Some more information:
The user tried to get a lock on a file, but then cancelled when asked
for authentication.
TSVN sets the
svn_auth_cred_username_t **cred
param of the userprompt callback to
*cred = NULL
Maybe that helps?
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
Re: NULL-pointer access in RC5
Posted by Stefan Küng <to...@gmail.com>.
Lieven Govaerts wrote:
> I've looked at the code and the only possible situation I can think of
> that can lead to this stacktrace is when in handle_basic_auth,
> svn_auth_first_credentials returns an error. If that happens,
> session->realm will be set, but the auth_state will be (most likely)
> NULL.That's okay if that error is raised to the user, but I've noticed
> we just ignore it in svn_ra_serf__handle_auth.
Seems correct. I don't have much information about the crash report (I
only have the crash dump file, no additional information).
> Now I don't know how to reproduce this yet, but I have found that if I
> keep supplying wrong credentials on the command line, after 3 times svn
> will hang using 100% cpu. I have a fix for that in my trunk working
> copy, which also fixes the ignored error problem. As soon as I get my
> NTLM+Basic setup working again I'll test and commit.
>
> I suppose you don't have the possibility to check if that fix will solve
> this issue?
I'll try contacting the person which sent the crash dump and see if I
can send him/her an updated version of TSVN to test. But usually the
people who sent the reports don't answer mails asking for more information.
> Thanks for the crash report! Why does it not include the source file
> names? Also, it would be useful if const char *'s could be printed as
> their string value.
I just copied the content of the stacktrace window in VS2008. I'm not
sure if it's possible to change that.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
Re: NULL-pointer access in RC5
Posted by Lieven Govaerts <sv...@mobsol.be>.
Stefan Küng wrote:
> Hi,
>
> (sorry for the html mail, but I want to keep the stacktrace below
> formatted correctly)
>
> Crash report sent for TortoiseSVN, but problem is in the svn library.
> I've checked the STATUS file for changes that might have something to
> do with this but couldn't find anything:
>
> in the function svn_auth_next_credentials() file
> subversion\libsvn_subr\auth.c, the line
> provider_set_t *table = state->table;
> accesses a NULL pointer since 'state' was NULL (in the crash dump I
> received).
>
> Here's the stacktrace:
> TortoiseProc.exe!svn_auth_next_credentials(void * *
> credentials=0x04fefa8c, svn_auth_iterstate_t * state=0x00000000,
> apr_pool_t * pool=0x0228ea60) Line 243 C
> TortoiseProc.exe!handle_basic_auth(svn_ra_serf__session_t *
> session=0x01258fd0, svn_ra_serf__connection_t * conn=0x02284e58,
> serf_request_t * request=0x02276a28, serf_bucket_t *
> response=0x02291270, char * auth_hdr=0x02290cf0, char *
> auth_attr=0x02290cf5, apr_pool_t * pool=0x0228ea60) Line 303 + 0x14
> bytes C
> TortoiseProc.exe!svn_ra_serf__handle_auth(int code=401,
> svn_ra_serf__session_t * session=0x01258fd0, svn_ra_serf__connection_t
> * conn=0x02284e58, serf_request_t * request=0x02276a28, serf_bucket_t
> * response=0x02291270, apr_pool_t * pool=0x022a9e58) Line 197 + 0x1b
> bytes C
> > TortoiseProc.exe!handle_response(serf_request_t *
> request=0x02276a28, serf_bucket_t * response=0x02291270, void *
> baton=0x01259118, apr_pool_t * pool=0x022a9e58) Line 1199 + 0x19
> bytes C
> TortoiseProc.exe!read_from_connection(serf_connection_t *
> conn=0x00000000) Line 750 + 0x13 bytes C
> TortoiseProc.exe!process_connection(serf_connection_t *
> conn=0x00000000, short events=1) Line 852 + 0x7 bytes C
> TortoiseProc.exe!serf_context_run(serf_context_t * ctx=0x0228eb30,
> int duration=2000000000, apr_pool_t * pool=0x011ec568) Line 966 +
> 0x15 bytes C
> TortoiseProc.exe!svn_ra_serf__context_run_wait(int *
> done=0x04fefb98, svn_ra_serf__session_t * sess=0x01258fd0, apr_pool_t
> * pool=0x011ec568) Line 540 + 0xf bytes C
> TortoiseProc.exe!exchange_capabilities(svn_ra_serf__session_t *
> serf_sess=0x00000000, apr_pool_t * pool=0x00000000) Line 196 C
> TortoiseProc.exe!svn_ra_serf__open(svn_ra_session_t *
> session=0x01258fc0, const char * repos_URL=0x01258df8, const
> svn_ra_callbacks2_t * callbacks=0x01258f08, void *
> callback_baton=0x01258f30, apr_hash_t * config=0x011eaf60, apr_pool_t
> * pool=0x011ec568) Line 599 + 0x16 bytes C
> TortoiseProc.exe!svn_ra_open3(svn_ra_session_t * *
> session_p=0x04fefcc4, const char * repos_URL=0x01258df8, const char *
> uuid=0x02275d50, const svn_ra_callbacks2_t * callbacks=0x01258f08,
> void * callback_baton=0x01258f30, apr_hash_t * config=0x011eaf60,
> apr_pool_t * pool=0x011ec568) Line 472 + 0x32 bytes C
>
> TortoiseProc.exe!svn_client__open_ra_session_internal(svn_ra_session_t
> * * ra_session=0x04fefcc4, const char * base_url=0x01258df8, const
> char * base_dir=0x02275b58, svn_wc_adm_access_t *
> base_access=0x02275a80, apr_array_header_t * commit_items=0x00000000,
> int use_admin=0, int read_only_wc=0, svn_client_ctx_t *
> ctx=0x011ea598, apr_pool_t * pool=0x02275d50) Line 325 + 0x1b bytes C
> TortoiseProc.exe!svn_client_lock(const apr_array_header_t *
> targets=0x011ec5d8, const char * comment=0x01266188, int steal_lock=0,
> svn_client_ctx_t * ctx=0x011ea598, apr_pool_t * pool=0x011ec568) Line
> 418 + 0x32 bytes C
>
> In handle_response(), the session->auth_state is set to NULL due to
> last status code being 401. But that auth_state is never set in the
> following function calls which leads then to the NULL pointer access.
I've looked at the code and the only possible situation I can think of
that can lead to this stacktrace is when in handle_basic_auth,
svn_auth_first_credentials returns an error. If that happens,
session->realm will be set, but the auth_state will be (most likely)
NULL.That's okay if that error is raised to the user, but I've noticed
we just ignore it in svn_ra_serf__handle_auth.
Now I don't know how to reproduce this yet, but I have found that if I
keep supplying wrong credentials on the command line, after 3 times svn
will hang using 100% cpu. I have a fix for that in my trunk working
copy, which also fixes the ignored error problem. As soon as I get my
NTLM+Basic setup working again I'll test and commit.
I suppose you don't have the possibility to check if that fix will solve
this issue?
Thanks for the crash report! Why does it not include the source file
names? Also, it would be useful if const char *'s could be printed as
their string value.
Lieven
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org