You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2020/03/02 23:00:03 UTC

[jira] [Updated] (GUACAMOLE-979) RDP settings strings may be double-freed

     [ https://issues.apache.org/jira/browse/GUACAMOLE-979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mike Jumper updated GUACAMOLE-979:
----------------------------------
    Summary: RDP settings strings may be double-freed  (was: RemoteApp settings memory may be double-freed)

> RDP settings strings may be double-freed
> ----------------------------------------
>
>                 Key: GUACAMOLE-979
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-979
>             Project: Guacamole
>          Issue Type: Bug
>          Components: RDP
>    Affects Versions: 1.1.0
>            Reporter: Mike Jumper
>            Assignee: Mike Jumper
>            Priority: Minor
>             Fix For: 1.2.0
>
>
> As of 1.1.0, a double-free may occur during cleanup of an RDP connection if RemoteApp was used:
> {code:none}
> guacd[6]: INFO:	Guacamole proxy daemon (guacd) version 1.1.0 started
> guacd[6]: INFO:	Listening on host 0.0.0.0, port 4822
> guacd[6]: INFO:	Creating new client for protocol "rdp"
> guacd[6]: INFO:	Connection ID is "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6"
> guacd[254]: INFO:	Security mode: NLA
> guacd[254]: INFO:	Resize method: none
> guacd[254]: INFO:	User "@c2acad05-7635-4de6-8741-661c65cce4a0" joined connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" (1 users now present)
> guacd[254]: INFO:	Loading keymap "base"
> guacd[254]: INFO:	Loading keymap "en-us-qwerty"
> guacd[254]: INFO:	Connected to RDPDR 1.13 as client 0x0008
> guacd[254]: INFO:	Connected to RDPDR 1.13 as client 0x0007
> guacd[254]: INFO:	RDPDR user logged on
> guacd[254]: INFO:	RDP server closed connection: Manually disconnected.
> guacd[254]: INFO:	User "@c2acad05-7635-4de6-8741-661c65cce4a0" disconnected (0 users remain)
> guacd[254]: INFO:	Last user of connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" disconnected
> guacd[254]: INFO:	Internal RDP client disconnected
> double free or corruption (fasttop)
> guacd[6]: INFO:	Connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" removed.
> {code}
> The double-free occurs within {{guac_rdp_settings_free()}}:
> {code:none}
> Thread 2.15 "guacd" received signal SIGABRT, Aborted.
> [Switching to Thread 0x7fbcfbfff700 (LWP 556)]
> __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
> 50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> (gdb) bt
> ...
> #5  0x00007fbd005a60bd in guac_rdp_settings_free (settings=0x7fbcf400d200)
>     at settings.c:1018
> #6  0x00007fbd005a056d in guac_rdp_client_free_handler (client=<optimized out>)
>     at client.c:179
> #7  0x00007fbd029f5442 in guac_client_free (client=0x7fbcfc00b2f0)
>     at client.c:195
> #8  0x000055b87847e5c5 in guacd_client_free_thread (data=0x7fbd00dcac40)
>     at proc.c:219
> #9  0x00007fbd02606fa3 in start_thread (arg=<optimized out>)
>     at pthread_create.c:486
> #10 0x00007fbd01f434cf in clone ()
>     at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
> (gdb) 
> {code}
> The relevant line is where {{settings->remote_app}} is being freed:
> {code:c}
>     /* Free settings strings */
> ...
>     free(settings->remote_app); // <--- Line 1018
>     free(settings->remote_app_args);
>     free(settings->remote_app_dir);
> {code}
> It appears that the RAIL channel implementation within FreeRDP 2.0.0 now automatically frees these strings, resulting in a double-free when we attempt to do the same.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)