Debian Bug report logs - #476571
libneon27: segmentation fault with dav/https shares

version graph

Package: libneon27; Maintainer for libneon27 is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for libneon27 is src:neon27.

Reported by: Yves-Alexis <corsac@debian.org>

Date: Thu, 17 Apr 2008 17:12:02 UTC

Severity: normal

Tags: patch

Found in versions neon27/0.28.2-1, neon27/0.28.2-2

Done: Laszlo Boszormenyi (GCS) <gcs@debian.hu>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Yves-Alexis <corsac@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libneon27: segmentation fault with dav/https shares
Date: Thu, 17 Apr 2008 19:09:37 +0200
Package: libneon27
Version: 0.28.2-1
Severity: normal

Hi,

I have a weird problem using svn with https dav repository, since 0.28 (it
worked and still works fine using 0.27).

The problem occurrs only on a private intranet and I couldnt reproduce it
outside yet, so I'm not able to give a backtrace, yet, sorry (I'll try to drop
all possible private info from the backtrace and post them later).

Basically, the segfault is in src/ne_uri.c, in merge_paths() function.
It tries to test base->path[0], but in my case, it's NULL, so the comparison
leads to a segfault.

When I follow the stack trace, it gives:
ne_uri.c:merge_paths()
ne_uri.c:ne_uri_resolve()
ne_auth.c:parse_domain()

It's in parse_domain() where base is initialized. There's a memset to 0, and
following the execution flow, I cant see where base->path could be initialized
and some memory allocated. Just after that, there is:

base.path = absolute.path;

So I guess testing (and setting) the base.path in merge_paths() is useless
anyway, but moving the instruction before the call to ne_uri_resolve() doesn't
solve the problem. The call to ne_uri_resolve is part of a loop, and the
second turn is with a base->path set to NULL again.

I know this bug report isn't really detailed enough, but the fact path is
never allocated seems wrong to me (and this part of the code has changed a lot
since 0.27). Maybe upstream could have some pointer on this?

(oh and btw, I've wrote this BR on an etch machine, but I'm testing on an
up-to-date sid box).

Thanks for your time, and regards,

--
Yves-Alexis Perez

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)




Bug no longer marked as found in version 0.27.2-1. Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Thu, 17 Apr 2008 18:18:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #12 received at 476571@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 476571@bugs.debian.org
Subject: Re: libneon27: segmentation fault with dav/https shares
Date: Thu, 17 Apr 2008 20:22:21 +0200
[Message part 1 (text/plain, inline)]
On jeu, 2008-04-17 at 19:09 +0200, Yves-Alexis wrote:
> I have a weird problem using svn with https dav repository, since 0.28 (it
> worked and still works fine using 0.27).

Ho, and by the way, the same thing happens trying to mount the https
share with mount.davfs (wich uses libneon).

Cheers,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Sat, 19 Apr 2008 09:42:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #19 received at 476571@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 476571@bugs.debian.org
Subject: Update, with a patch
Date: Sat, 19 Apr 2008 11:07:36 +0200
[Message part 1 (text/plain, inline)]
Hi,

I've managed to track down the issue. It seems there's a quad-nested-if
where not all conditions are correctly tested. In our case, it seems we
run into a “default condition” (don't know why it happens only in our
intranet). The attached patch fixes the problem for us and doesn't seem
to break neon when I test it on internet.

It'd be nice if the patch could be applied soon (after testing), because
currently subversion is completely unusable for us.

Thanks for your time, and regards.
-- 
Yves-Alexis
[0001-fix-segfault-if-base-path-is-NULL.patch (application/mbox, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Laszlo Boszormenyi <gcs@lsc.hu>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #24 received at 476571@bugs.debian.org (full text, mbox):

From: Laszlo Boszormenyi <gcs@lsc.hu>
To: Joe Orton <joe@manyfish.co.uk>, 476571@bugs.debian.org
Cc: control@bugs.debian.org
Subject: neon 0.28 failures
Date: Sat, 19 Apr 2008 12:53:44 +0200
package neon27
forwarded 476571 joe-at-manyfish.co.uk
thanks

Hi Joe,

I'm the maintainer of Neon packages in Debian. I got several bugreports
for 0.28.x [1][2].
For the former, there's a patch by Yves-Alexis Perez
<corsac-at-debian.org> which fix segfault if base->path is NULL :
--- a/src/ne_uri.c
+++ b/src/ne_uri.c
@@ -409,7 +409,7 @@ ne_uri *ne_uri_resolve(const ne_uri *base, const ne_uri *relative,
             } else {
                 if (relative->path[0] == '/') {
                     target->path = remove_dot_segments(relative->path);
-                } else {
+                } else if (base->path) {
                     char *merged = merge_paths(base, relative->path);
                     target->path = remove_dot_segments(merged);
                     ne_free(merged);

The latter is broken by me, right? I have specified:
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt
in response to DAV asking for connection confirmation even if server
certificate signed by a trusted CA[3]. What can be the solution then?

Regards,
Laszlo/GCS
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476571
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474139
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=459453





Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #29 received at 476571@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 476571@bugs.debian.org
Subject: reproduced
Date: Sun, 20 Apr 2008 11:49:01 +0200
[Message part 1 (text/plain, inline)]
I've managed to reproduce this on the “outside world”. You can test
using:

https://svn.grabeuh.com/svn/training

then add something in trunk/ and try to commit. It segfaults in
ne_uri_resolve().

I've not rebuilt a not-optimized package so the backtrace is not yet
usable, but as you may reproduce it yourself, it may be not useful.

Please ask if you need it anyway.

Cheers,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #34 received at 476571@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 476571@bugs.debian.org
Subject: News?
Date: Fri, 25 Apr 2008 08:01:55 +0200
[Message part 1 (text/plain, inline)]
Is there any news on this issue. As it's now possible to reproduce it
outside, it'd be nice to have a correction in the archive, and the
simple patch given works for us since a week, without brokenness.

Did you have answer from upstream about this?

Cheers, and thanks for the work,
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Reply sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Yves-Alexis <corsac@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #39 received at 476571-close@bugs.debian.org (full text, mbox):

From: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
To: 476571-close@bugs.debian.org
Subject: Bug#476571: fixed in neon27 0.28.2-2
Date: Sun, 27 Apr 2008 18:32:12 +0000
Source: neon27
Source-Version: 0.28.2-2

We believe that the bug you reported is fixed in the latest version of
neon27, which is due to be installed in the Debian FTP archive:

libneon27-dbg_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27-dbg_0.28.2-2_amd64.deb
libneon27-dev_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27-dev_0.28.2-2_amd64.deb
libneon27-gnutls-dbg_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27-gnutls-dbg_0.28.2-2_amd64.deb
libneon27-gnutls-dev_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27-gnutls-dev_0.28.2-2_amd64.deb
libneon27-gnutls_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27-gnutls_0.28.2-2_amd64.deb
libneon27_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27_0.28.2-2_amd64.deb
neon27_0.28.2-2.diff.gz
  to pool/main/n/neon27/neon27_0.28.2-2.diff.gz
neon27_0.28.2-2.dsc
  to pool/main/n/neon27/neon27_0.28.2-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 476571@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.hu> (supplier of updated neon27 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 21 Apr 2008 13:56:22 +0200
Source: neon27
Binary: libneon27 libneon27-dev libneon27-dbg libneon27-gnutls libneon27-gnutls-dev libneon27-gnutls-dbg
Architecture: source amd64
Version: 0.28.2-2
Distribution: unstable
Urgency: low
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Description: 
 libneon27  - An HTTP and WebDAV client library
 libneon27-dbg - Detached symbols for libneon27
 libneon27-dev - Header and static library files for libneon27
 libneon27-gnutls - An HTTP and WebDAV client library (GnuTLS enabled)
 libneon27-gnutls-dbg - Detached symbols for libneon27 (GnuTLS enabled)
 libneon27-gnutls-dev - Header and static library files for libneon27 (GnuTLS enabled)
Closes: 474139 476571
Changes: 
 neon27 (0.28.2-2) unstable; urgency=low
 .
   * Only the GnuTLS flavour needs to be configured with --with-ca-bundle
     (closes: #474139).
   * Fix segfault with dav/https shares (closes: #476571), thanks to
     Yves-Alexis Perez for the patch.
Checksums-Sha1: 
 79cdda5a28e6da380f8e00597201b32c40789655 1218 neon27_0.28.2-2.dsc
 596dcfdc0f62c61704279cdb7eab1c635ba68c35 7797 neon27_0.28.2-2.diff.gz
 45cd69dc2a3ed46fd8babaedc17ab5600c4fd538 144336 libneon27_0.28.2-2_amd64.deb
 202912eca074b7b2a6d44a82c306a907d3edf6b1 416180 libneon27-dev_0.28.2-2_amd64.deb
 cdebf19cd7cf4b7f8c3d020e7039248fbc16d126 186400 libneon27-dbg_0.28.2-2_amd64.deb
 4fc2a5eb1d242abcf15e0a3d1cfdf00452a8d49f 118842 libneon27-gnutls_0.28.2-2_amd64.deb
 67be3a6a9e931c8f9a7a42b58cfaf3faec0c2170 390168 libneon27-gnutls-dev_0.28.2-2_amd64.deb
 a1b53f53600ccaa6958c7a034eb72b7801b32766 167828 libneon27-gnutls-dbg_0.28.2-2_amd64.deb
Checksums-Sha256: 
 730a1663c85449eb957ed3dacce666629cc17916078e9f8eb746bd42a7c65e72 1218 neon27_0.28.2-2.dsc
 b02bffead850d93b07e9486b18afcb469fedcc6a374b5686a8b28eb342397429 7797 neon27_0.28.2-2.diff.gz
 b07024e3690282a3f3828f1ff0d85d8625990335eca998755a0d4b9d62d421b2 144336 libneon27_0.28.2-2_amd64.deb
 d66ce288e5d4b4011f87776b27c4b9b858f025c9048d72f835a93b38c154eb90 416180 libneon27-dev_0.28.2-2_amd64.deb
 1aa4996df68f9455c899673dfe770045ea3759d352c02dd9099ca9d94f596823 186400 libneon27-dbg_0.28.2-2_amd64.deb
 2a9f88baf269c1918690442562bd7ebd36b611a42d6239d5498e99293de1ac84 118842 libneon27-gnutls_0.28.2-2_amd64.deb
 8b1f91fdfe07d03ec766c7d043680b937d6e9296fac8a81776c120adbf4c88d6 390168 libneon27-gnutls-dev_0.28.2-2_amd64.deb
 d0433d7e19aa8553b83d0107fb7bd1bc956905dc57e093c13c8d710475a3080c 167828 libneon27-gnutls-dbg_0.28.2-2_amd64.deb
Files: 
 efcaccc1adf69f4a508968e36be8e0f9 1218 net optional neon27_0.28.2-2.dsc
 149d89a974f382fc35671f434c60f399 7797 net optional neon27_0.28.2-2.diff.gz
 cbf8c281546123ea2ac8a9628e98cbc8 144336 libs optional libneon27_0.28.2-2_amd64.deb
 fae7980fa586318214d46ecb67810018 416180 libdevel optional libneon27-dev_0.28.2-2_amd64.deb
 56422a046971dac02cbbc4691e8bbf24 186400 libdevel extra libneon27-dbg_0.28.2-2_amd64.deb
 b1048921ffe733a956817da62286b200 118842 libs optional libneon27-gnutls_0.28.2-2_amd64.deb
 446b10a5452bba02b1845d98d1e11502 390168 libdevel optional libneon27-gnutls-dev_0.28.2-2_amd64.deb
 02b9cc103f0a28e52c52f6672058fc30 167828 libdevel extra libneon27-gnutls-dbg_0.28.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkgUxGkACgkQMDatjqUaT91dlgCfV/8olMfGTfyXaJWPEfm0gcHp
xY4An3l+OpRaUFtyXEqAiuP+oIoiW1A4
=LGPB
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Fleury <fleury@labri.fr>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #44 received at 476571@bugs.debian.org (full text, mbox):

From: Emmanuel Fleury <fleury@labri.fr>
To: 476571@bugs.debian.org
Subject: [libneon27] segmentation fault with WebDAV/HTTPS
Date: Tue, 13 May 2008 00:12:57 +0200
Package: libneon27
Version: 0.28.2-2

--- Please enter the report below this line. ---

I am experimenting a segfault on a WebDAV connection through HTTPS with
libneon27-0.28.2-2.

I experiment the problem on all plate-form I tried out (mainly x86 and
amd64). Here is a gdb trace of the problem (I reach the problem through
a sitecopy request):

[fleury@excalibur]$ gdb `which sitecopy`
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) break ne_request.c:349
No source file named ne_request.c.
Make breakpoint pending on future shared library load? (y or [n]) y

Breakpoint 1 (ne_request.c:349) pending.
(gdb) run --fetch LaBRI
Starting program: /usr/bin/sitecopy --fetch LaBRI
sitecopy: Fetching site `LaBRI' (on webdav.labri.fr in /perso/fleury/)

Breakpoint 1, send_request_body (req=0x724820, retry=1)
    at /neon27-0.28.2/src/ne_request.c:349
349         notify_status(sess, ne_status_sending);
(gdb) c
Continuing.
Checksumming home.html: [..] done.
Checksumming bug_transmeta.html: [...] done.
Checksumming p7120.html: [...] done.
Checksumming hacking.html: [..] done.
Checksumming development.html: [..] done.
Checksumming research.html: [..] done.
Checksumming index.php: [..] done.
Checksumming teaching.html: [..] done.
Checksumming publications.html: [...] done.

Breakpoint 1, send_request_body (req=0x7428a0, retry=1)
    at /neon27-0.28.2/src/ne_request.c:349
349         notify_status(sess, ne_status_sending);
(gdb) s
347         req->session->status.sr.progress = 0;
(gdb)
348         req->session->status.sr.total = req->body_length;
(gdb)
349         notify_status(sess, ne_status_sending);
(gdb)
notify_status (sess=0x633480, status=ne_status_sending)
    at /neon27-0.28.2/src/ne_request.c:221
221         if (sess->notify_cb) {
(gdb)
222             sess->notify_cb(sess->notify_ud, status, &sess->status);
(gdb)
progress_notifier (userdata=0x633480, status=ne_status_sending,
info=0x6335e0)
    at /neon27-0.28.2/src/ne_session.c:216
216         if (status == ne_status_sending || status ==
ne_status_recving) {
(gdb) n
213	{
(gdb)
216	    if (status == ne_status_sending || status == ne_status_recving) {
(gdb)
217	        sess->progress_cb(sess->progress_ud, info->sr.progress,
info->sr.total);
(gdb) s

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()

**********************************************************************

As you see, the problem occurs in ne_session.c:216. Here is a more
detailled trace:

**********************************************************************

[fleury@excalibur LaBRI]$ gdb `which sitecopy`
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) break ne_request.c:349
No source file named ne_request.c.
Make breakpoint pending on future shared library load? (y or [n]) y

Breakpoint 1 (ne_request.c:349) pending.
(gdb) run --fetch LaBRI
Starting program: /usr/bin/sitecopy --fetch LaBRI
sitecopy: Fetching site `LaBRI' (on webdav.labri.fr in /perso/fleury/)

Breakpoint 1, send_request_body (req=0x724820, retry=1)
    at /neon27-0.28.2/src/ne_request.c:349
349         notify_status(sess, ne_status_sending);
(gdb) c
Continuing.
Checksumming home.html: [..] done.
Checksumming bug_transmeta.html: [...] done.
Checksumming p7120.html: [...] done.
Checksumming hacking.html: [..] done.
Checksumming development.html: [..] done.
Checksumming research.html: [..] done.
Checksumming index.php: [..] done.
Checksumming teaching.html: [..] done.
Checksumming publications.html: [...] done.

Breakpoint 1, send_request_body (req=0x7428a0, retry=1)
    at /neon27-0.28.2/src/ne_request.c:349
349         notify_status(sess, ne_status_sending);
(gdb) s
347         req->session->status.sr.progress = 0;
(gdb)
348         req->session->status.sr.total = req->body_length;
(gdb)
349         notify_status(sess, ne_status_sending);
(gdb)
notify_status (sess=0x633480, status=ne_status_sending)
    at /neon27-0.28.2/src/ne_request.c:221
221         if (sess->notify_cb) {
(gdb)
222             sess->notify_cb(sess->notify_ud, status, &sess->status);
(gdb)
progress_notifier (userdata=0x633480, status=ne_status_sending,
info=0x6335e0)
    at /neon27-0.28.2/src/ne_session.c:216
216	    if (status == ne_status_sending || status == ne_status_recving) {
(gdb)
213	{
(gdb)
216	    if (status == ne_status_sending || status == ne_status_recving) {
(gdb)
217	        sess->progress_cb(sess->progress_ud, info->sr.progress,
info->sr.total);
(gdb) bt
#0  progress_notifier (userdata=0x633480, status=<value optimized out>,
    info=0x6335e0)
    at /neon27-0.28.2/src/ne_session.c:217
#1  0x00007fca6f359105 in send_request_body (req=0x7428a0, retry=1)
    at /neon27-0.28.2/src/ne_request.c:349
#2  0x00007fca6f35a67f in send_request (req=0x7428a0, request=0x726d90)
    at /neon27-0.28.2/src/ne_request.c:942
#3  0x00007fca6f359cb2 in ne_begin_request (req=0x7428a0)
    at /neon27-0.28.2/src/ne_request.c:1163
#4  0x00007fca6f35a38d in ne_request_dispatch (req=0x7428a0)
    at /neon27-0.28.2/src/ne_request.c:1372
#5  0x00007fca6f365a0d in propfind (handler=0x739570,
    results=0x40d760 <pfind_results>, userdata=0x7fff7778c5d0)
    at /neon27-0.28.2/src/ne_props.c:143
#6  0x000000000040d716 in fetch_list ()
#7  0x00000000004050e3 in site_fetch ()
#8  0x0000000000410ed5 in act_on_site ()
#9  0x0000000000411c7f in main ()
(gdb) p status
$1 = <value optimized out>
(gdb) p sess
No symbol "sess" in current context.
(gdb) info frame
Stack level 0, frame at 0x7fff7778a1e0:
 rip = 0x7fca6f35ad30 in progress_notifier
    (/neon27-0.28.2/src/ne_session.c:217); saved rip 0x7fca6f359105
 called by frame at 0x7fff7778c220
 source language c.
 Arglist at 0x7fff7778a1d0, args: userdata=0x633480,
    status=<value optimized out>, info=0x6335e0
 Locals at 0x7fff7778a1d0, Previous frame's sp is 0x7fff7778a1e0
 Saved registers:
  rip at 0x7fff7778a1d8
(gdb) s

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()

**********************************************************************

After SIGSEV is reached, the frame and the backtrace looks like this:

**********************************************************************


(gdb) info frame
Stack level 0, frame at 0x7fff7778a1e0:
 rip = 0x0; saved rip 0x7fca6f359105
 called by frame at 0x7fff7778c220
 Arglist at 0x7fff7778a1d0, args:
 Locals at 0x7fff7778a1d0, Previous frame's sp is 0x7fff7778a1e0
 Saved registers:
  rip at 0x7fff7778a1d8
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007fca6f359105 in send_request_body (req=0x7428a0, retry=1)
    at /neon27-0.28.2/src/ne_request.c:349
#2  0x00007fca6f35a67f in send_request (req=0x7428a0, request=0x726d90)
    at /neon27-0.28.2/src/ne_request.c:942
#3  0x00007fca6f359cb2 in ne_begin_request (req=0x7428a0)
    at /neon27-0.28.2/src/ne_request.c:1163
#4  0x00007fca6f35a38d in ne_request_dispatch (req=0x7428a0)
    at /neon27-0.28.2/src/ne_request.c:1372
#5  0x00007fca6f365a0d in propfind (handler=0x739570,
    results=0x40d760 <pfind_results>, userdata=0x7fff7778c5d0)
    at /neon27-0.28.2/src/ne_props.c:143
#6  0x000000000040d716 in fetch_list ()
#7  0x00000000004050e3 in site_fetch ()
#8  0x0000000000410ed5 in act_on_site ()
#9  0x0000000000411c7f in main ()


**********************************************************************

My guess is that saved eip is over-written when accessed but I have no
clue why. :-(

If you find out why or if you want to try out some things on my trace (I
easily admit that the bug isn't easy to reproduce out of the context of
sitecopy and the content of my website), feel free to ask !

By the way, I did this on amd64 but I can easily do it on x86 (I guess
it will be the same more or less).

--- System information. ---
Architecture: amd64
Kernel:       Linux 2.6.25.3

Debian Release: lenny/sid
  500 unstable        www.debian-multimedia.org
  500 unstable        ftp.fr.debian.org

--- Package information. ---
Depends               (Version) | Installed
===============================-+-================
libc6                (>= 2.7-1) | 2.7-11
libcomerr2          (>= 1.33-3) | 1.40.8-2
libkrb53        (>= 1.6.dfsg.2) | 1.6.dfsg.3-2
libssl0.9.8       (>= 0.9.8f-5) | 0.9.8g-10
libxml2             (>= 2.6.27) | 2.6.32.dfsg-2
zlib1g             (>= 1:1.1.4) | 1:1.2.3.3.dfsg-12




Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Fleury <fleury@labri.fr>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #49 received at 476571@bugs.debian.org (full text, mbox):

From: Emmanuel Fleury <fleury@labri.fr>
To: 476571@bugs.debian.org
Subject: Re: [libneon27] segmentation fault with WebDAV/HTTPS
Date: Wed, 14 May 2008 01:04:20 +0200
Hi,

It seems that the problem is located exactly at ne_session.c:217, it is
to say:


static void progress_notifier(void *userdata, ne_session_status status,
                              const ne_session_status_info *info)
{
 ne_session *sess = userdata;

 if (status == ne_status_sending || status == ne_status_recving) {
  sess->progress_cb(sess->progress_ud,info->sr.progress,info->sr.total);
 }
}

When executing step by step and stopping just before the segfault,
printing the variable 'sess' seems to be impossible there although the
scope seems to allow it.

(gdb)
progress_notifier (userdata=0x8070ad8, status=ne_status_sending,
    info=0x8070ba0)
    at /neon27-0.28.2/src/ne_session.c:216
216	    if (status == ne_status_sending || status == ne_status_recving) {
(gdb)
217	        sess->progress_cb(sess->progress_ud, info->sr.progress,
info->sr.total);
(gdb) p sess
No symbol "sess" in current context.


Anyway, userdata can be used in place of sess:

(gdb) p userdata
$17 = (void *) 0x8070ad8
(gdb) disas 0x8070ad8
No function contains specified address.
(gdb) ptype userdata
type = void *
(gdb) p (ne_session*) userdata
$18 = (struct ne_session_s *) 0x8070ad8
(gdb) p ((ne_session*) userdata)->progress_cb
$19 = (ne_progress) 0x804b530 <site_sock_progress_cb>
(gdb) p ((ne_session*) userdata)->progress_ud
$20 = (void *) 0x0
(gdb) p ((ne_session*) userdata)
$21 = (struct ne_session_s *) 0x8070ad8

The progress function seems to be site_sock_progress_cb and the
progress_ud seems to be 0x0 (I don't know if it is meaningfull or not).

I checked also info and everything seemed ok.

I'll try to get further later. :)

Regards
-- 
Emmanuel Fleury

I liked things better when I didn't understand them.
  -- Calvin & Hobbes (Bill Waterson)




Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Fleury <fleury@labri.fr>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #54 received at 476571@bugs.debian.org (full text, mbox):

From: Emmanuel Fleury <fleury@labri.fr>
To: 476571@bugs.debian.org
Subject: Re: [libneon27] segmentation fault with WebDAV/HTTPS
Date: Wed, 14 May 2008 09:55:41 +0200
Hi again,

Ok, I have a bit more understanding of what is going on there now.

It seems that the progress function which seems to be given through a
function pointer (progress_cb) is not always set properly.

Here is a run with a break at:

217	        sess->progress_cb(sess->progress_ud, info->sr.progress,

You can see that the parameters are evolving quite ok at the beginning
and then suddenly the userdata->progress_cb get lost for some reason
that I failed to find until now:

10: info->sr.total = 16280
9: info->sr.progress = 8192
8: ((struct ne_session_s *) userdata)->progress_cb = (
    ne_progress) 0x804b530 <site_sock_progress_cb>
7: ((struct ne_session_s *) userdata)->progress_ud = (void *) 0x0
6: (struct ne_session_s *) userdata = (struct ne_session_s *) 0x8070ad8
(gdb)
Continuing.
.
Breakpoint 1, progress_notifier (userdata=0x8070ad8,
status=ne_status_recving,
    info=0x8070ba0)
    at
/home/fleury/development/hacking/debug/sitecopy/neon27-0.28.2/src/ne_session.c:217
217	        sess->progress_cb(sess->progress_ud, info->sr.progress,
info->sr.total);
10: info->sr.total = 16280
9: info->sr.progress = 16280
8: ((struct ne_session_s *) userdata)->progress_cb = (
    ne_progress) 0x804b530 <site_sock_progress_cb>
7: ((struct ne_session_s *) userdata)->progress_ud = (void *) 0x0
6: (struct ne_session_s *) userdata = (struct ne_session_s *) 0x8070ad8
(gdb)
Continuing.
.] done.

Breakpoint 1, progress_notifier (userdata=0x8070ad8,
status=ne_status_sending,
    info=0x8070ba0)
    at
/home/fleury/development/hacking/debug/sitecopy/neon27-0.28.2/src/ne_session.c:217
217	        sess->progress_cb(sess->progress_ud, info->sr.progress,
info->sr.total);
10: info->sr.total = 233
9: info->sr.progress = 0
8: ((struct ne_session_s *) userdata)->progress_cb = (ne_progress) 0
7: ((struct ne_session_s *) userdata)->progress_ud = (void *) 0x0
6: (struct ne_session_s *) userdata = (struct ne_session_s *) 0x8070ad8
(gdb)
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00000000 in ?? ()


I'll investigate this further.

Regards
-- 
Emmanuel Fleury

You don't lose money by sharing knowledge, when the terms are that
whoever you share with will share his knowledge back with you.
You're in a stronger position.
  -- Linus Torvalds




Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Fleury <fleury@labri.fr>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #59 received at 476571@bugs.debian.org (full text, mbox):

From: Emmanuel Fleury <fleury@labri.fr>
To: 476571@bugs.debian.org
Subject: Re: [libneon27] segmentation fault with WebDAV/HTTPS
Date: Fri, 23 May 2008 18:15:15 +0200
Back again,

Soooo, I think I was wrong... in fact the problem seems to come from
sitecopy which misuse the libneon API (at least this is my guess).

Here is what happen:

The libneon:ne_session.c:progress_notifier can be called even though
sitecopy:davdriver.c:file_read has freed the userdata field (called
eremote in the scope of sitecopy) at davdriver.c:519.

(not) Surprisingly, libneon crash when the progress_notifier is called
upon NULL userdata.

Anyway, in my humble opinion, I think the problem should be solved in
libneon as this library seems not programmed in an enough defensive way.
E.g., in the function:

static void progress_notifier(void *userdata, ne_session_status status,
                              const ne_session_status_info *info)
{
 ne_session *sess = userdata;

 if (status == ne_status_sending || status == ne_status_recving) {
  sess->progress_cb(sess->progress_ud,info->sr.progress,info->sr.total);
 }
}

One should also check that userdata is not NULL... as the userdata seems
to still be in the user's memory scope.

« Abandon every hope, ye who trust user's data here. »

:)

Regards
-- 
Emmanuel Fleury

/* Dijkstra probably hates me. */
  -- Linus Torvalds, in kernel/sched.c




Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#476571; Package libneon27. Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Fleury <fleury@labri.fr>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. Full text and rfc822 format available.

Message #64 received at 476571@bugs.debian.org (full text, mbox):

From: Emmanuel Fleury <fleury@labri.fr>
To: 476571@bugs.debian.org
Subject: Re: [libneon27] segmentation fault with WebDAV/HTTPS
Date: Fri, 23 May 2008 18:41:31 +0200
Hello,

Ooops, I forgot the patch (though I'm not sure it's the best way to do,
at least this is a 'hack that worked' on my problem):

--- neon27-0.28.2/src/ne_session.c.orig	2008-05-23 18:38:34.000000000 +0200
+++ neon27-0.28.2/src/ne_session.c	2008-05-23 18:30:49.000000000 +0200
@@ -213,7 +213,7 @@
 {
     ne_session *sess = userdata;

-    if (status == ne_status_sending || status == ne_status_recving) {
+    if ((sess->progress_cb!=NULL) && (status == ne_status_sending ||
status == ne_status_recving)) {
         sess->progress_cb(sess->progress_ud, info->sr.progress,
info->sr.total);
     }
 }

-- 
Emmanuel Fleury

We don't see things as they are, we see things as we are.
  -- Anaïs Nin




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 21 Jun 2008 07:43:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:35:53 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.