[Telepathy] [Bug 16918] New: Invalid read in vcard-manager: cache_entry_complete_requests

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Jul 31 02:16:02 PDT 2008 

http://bugs.freedesktop.org/show_bug.cgi?id=16918

           Summary: Invalid read in vcard-manager:
                    cache_entry_complete_requests
           Product: Telepathy
           Version: unspecified
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: telepathy-gabble
        AssignedTo: telepathy at lists.freedesktop.org
        ReportedBy: guillaume.desmottes at collabora.co.uk


To reproduce with Gabble HEAD:

- cd tests/twisted
- export GABBLE_TEST_VALGRIND=1
- make check TWISTED_TESTS=olpc/olpc-muc-invitation.py
- look at tools/gabble-testing.log

You'll find the following invalid read:

==10543== Invalid read of size 4
==10543==    at 0x807F33B: cache_entry_complete_requests (vcard-manager.c:458)
==10543==    by 0x807F446: pipeline_reply_cb (vcard-manager.c:1089)
==10543==    by 0x806BA54: gabble_request_pipeline_dispose
(request-pipeline.c:230)
==10543==    by 0x409983B: g_object_unref (in
/usr/lib/libgobject-2.0.so.0.1600.3)
==10543==    by 0x80560AF: gabble_connection_dispose (connection.c:683)
==10543==    by 0x409983B: g_object_unref (in
/usr/lib/libgobject-2.0.so.0.1600.3)
==10543==    by 0x40B994B: g_value_unset (in
/usr/lib/libgobject-2.0.so.0.1600.3)
==10543==    by 0x40BA8F8: g_value_array_free (in
/usr/lib/libgobject-2.0.so.0.1600.3)
==10543==    by 0x4045B62: gobject_message_function (dbus-gobject.c:1267)
==10543==    by 0x407169A: (within /usr/lib/libdbus-1.so.3.4.0)
==10543==    by 0x4063A65: dbus_connection_dispatch (in
/usr/lib/libdbus-1.so.3.4.0)
==10543==    by 0x40424CC: message_queue_dispatch (dbus-gmain.c:101)
==10543==    by 0x4148BF7: g_main_context_dispatch (in
/usr/lib/libglib-2.0.so.0.1600.3)
==10543==    by 0x414BE5D: (within /usr/lib/libglib-2.0.so.0.1600.3)
==10543==    by 0x414C1E6: g_main_loop_run (in
/usr/lib/libglib-2.0.so.0.1600.3)
==10543==    by 0x4230655: tp_run_connection_manager (run.c:263)
==10543==    by 0x805ABB1: gabble_main (gabble.c:76)
==10543==    by 0x8053355: main (main-debug.c:30)



The first time the while condition is evaluated (entry->pending_requests) there
is no problem as the entry still exists. During the first iteration,
complete_one_request is called which calls delete_request which calls
cache_entry_attempt_to_free. In cache_entry_attempt_to_free, the entry is
removed from priv->cache causing the destroying of its value (the entry) using
cache_entry_free.
So, when the while condition is evalatued for the second time, the entry was
freed causing the invalid read.


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Telepathy mailing list