[Telepathy] [Bug 17116] New: Non-null-terminated TpConnectionManager::protocols ?
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Aug 13 08:00:23 PDT 2008
http://bugs.freedesktop.org/show_bug.cgi?id=17116
Summary: Non-null-terminated TpConnectionManager::protocols ?
Product: Telepathy
Version: unspecified
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: medium
Component: telepathy-glib
AssignedTo: telepathy at lists.freedesktop.org
ReportedBy: murrayc at murrayc.com
Created an attachment (id=18263)
--> (http://bugs.freedesktop.org/attachment.cgi?id=18263)
example.c
Maybe I've made a stupid error, but as far as I can tell the attached code is
correct. But it seems to hit uninitialized memory when examining
TpConnectionManager::protocols, as if the array has not really been
NULL-terminated, at least for the "butterfly" connection manager.
Here is a valgrind backtrace:
$ valgrind --num-callers=30 ./example
==1330== Memcheck, a memory error detector.
==1330== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==1330== Using LibVEX rev 1804, a library for dynamic binary translation.
==1330== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==1330== Using valgrind-3.3.0-Debian, a dynamic binary instrumentation
framework.
==1330== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==1330== For more details, rerun with: -v
==1330==
Found 6 connection managers:
Connection Manager name: butterfly
(process:1330): GLib-GObject-CRITICAL **: g_object_get: assertion `G_IS_OBJECT
(object)' failed
Connection Manager name: (null)
==1330== Conditional jump or move depends on uninitialised value(s)
==1330== at 0x80489DE: on_list_connection_managers (main.c:64)
==1330== by 0x4078A66: tp_list_connection_managers_got_names
(connection-manager.c:1332)
==1330== by 0x407BD62: _tp_cli_dbus_daemon_invoke_callback_list_names
(tp-cli-dbus-daemon-body.h:1818)
==1330== by 0x40A134A: tp_proxy_pending_call_idle_invoke
(proxy-methods.c:153)
==1330== by 0x48CA1FC: g_idle_dispatch (gmain.c:4178)
==1330== by 0x48C62C3: g_main_dispatch (gmain.c:2073)
==1330== by 0x48C77A9: g_main_context_dispatch (gmain.c:2625)
==1330== by 0x48C7CFD: g_main_context_iterate (gmain.c:2706)
==1330== by 0x48C84D4: g_main_loop_run (gmain.c:2929)
==1330== by 0x8048A7E: main (main.c:101)
(process:1330): GLib-GObject-CRITICAL **: g_object_get: assertion `G_IS_OBJECT
(object)' failed
Connection Manager name: (null)
==1330==
==1330== Invalid read of size 1
==1330== at 0x40239D8: strlen (mc_replace_strmem.c:242)
==1330== by 0x49B140A: vfprintf (vfprintf.c:1560)
==1330== by 0x49B23AF: vprintf (vprintf.c:31)
==1330== by 0x4904AC4: g_vprintf (gprintf.c:186)
==1330== by 0x49049D9: g_printf (gprintf.c:55)
==1330== by 0x80489D5: on_list_connection_managers (main.c:73)
==1330== by 0x4078A66: tp_list_connection_managers_got_names
(connection-manager.c:1332)
==1330== by 0x407BD62: _tp_cli_dbus_daemon_invoke_callback_list_names
(tp-cli-dbus-daemon-body.h:1818)
==1330== by 0x40A134A: tp_proxy_pending_call_idle_invoke
(proxy-methods.c:153)
==1330== by 0x48CA1FC: g_idle_dispatch (gmain.c:4178)
==1330== by 0x48C62C3: g_main_dispatch (gmain.c:2073)
==1330== by 0x48C77A9: g_main_context_dispatch (gmain.c:2625)
==1330== by 0x48C7CFD: g_main_context_iterate (gmain.c:2706)
==1330== by 0x48C84D4: g_main_loop_run (gmain.c:2929)
==1330== by 0x8048A7E: main (main.c:101)
==1330== Address 0x7273752f is not stack'd, malloc'd or (recently) free'd
==1330==
==1330== Process terminating with default action of signal 11 (SIGSEGV)
==1330== Access not within mapped region at address 0x7273752F
==1330== at 0x40239D8: strlen (mc_replace_strmem.c:242)
==1330== by 0x49B140A: vfprintf (vfprintf.c:1560)
==1330== by 0x49B23AF: vprintf (vprintf.c:31)
==1330== by 0x4904AC4: g_vprintf (gprintf.c:186)
==1330== by 0x49049D9: g_printf (gprintf.c:55)
==1330== by 0x80489D5: on_list_connection_managers (main.c:73)
==1330== by 0x4078A66: tp_list_connection_managers_got_names
(connection-manager.c:1332)
==1330== by 0x407BD62: _tp_cli_dbus_daemon_invoke_callback_list_names
(tp-cli-dbus-daemon-body.h:1818)
==1330== by 0x40A134A: tp_proxy_pending_call_idle_invoke
(proxy-methods.c:153)
==1330== by 0x48CA1FC: g_idle_dispatch (gmain.c:4178)
==1330== by 0x48C62C3: g_main_dispatch (gmain.c:2073)
==1330== by 0x48C77A9: g_main_context_dispatch (gmain.c:2625)
==1330== by 0x48C7CFD: g_main_context_iterate (gmain.c:2706)
==1330== by 0x48C84D4: g_main_loop_run (gmain.c:2929)
==1330== by 0x8048A7E: main (main.c:101)
Protocol name: ==1330==
==1330== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 95 from 1)
==1330== malloc/free: in use at exit: 55,383 bytes in 728 blocks.
==1330== malloc/free: 2,145 allocs, 1,417 frees, 355,791 bytes allocated.
==1330== For counts of detected errors, rerun with: -v
==1330== searching for pointers to 728 not-freed blocks.
==1330== checked 397,508 bytes.
==1330==
==1330== LEAK SUMMARY:
==1330== definitely lost: 156 bytes in 11 blocks.
==1330== possibly lost: 7,120 bytes in 30 blocks.
==1330== still reachable: 48,107 bytes in 687 blocks.
==1330== suppressed: 0 bytes in 0 blocks.
==1330== Rerun with --leak-check=full to see details of leaked memory.
Segmentation fault
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Telepathy
mailing list