Bug#631729: irssi-plugin-xmpp: Memory corruption and crash with /xmppconnect

Florian Schlichting fschlich at ZEDAT.FU-Berlin.DE
Wed Jan 23 00:08:27 UTC 2013 

Control: reassign 631729 libloudmouth1-0
Control: retitle 631729 libloudmouth1-0: segfaults when connecting to a dual-stacked host
Control: tags 631729 = ipv6

I am able to reproduce this now, both on i386 and amd64. The key is to
connect to a hostname that resolves to both an IPv4 and an IPv6 address
(there seems to have been a time when new installs created an /etc/hosts
where this was the case for 'localhost', hence the difference between
local and remote connections for some users). This is valgrind's
memcheck output:

==11869== Invalid read of size 4
==11869==    at 0x4F384EE: socket_connect_cb (lm-socket.c:518)
==11869==    by 0x427417D: g_io_unix_dispatch (giounix.c:166)
==11869==    by 0x4233D85: g_main_context_dispatch (gmain.c:2539)
==11869==    by 0x4234124: g_main_context_iterate.isra.21 (gmain.c:3146)
==11869==    by 0x4234200: g_main_context_iteration (gmain.c:3207)
==11869==    by 0x45204D2: (below main) (libc-start.c:226)
==11869==  Address 0x512e58c is 4 bytes inside a block of size 24 free'd
==11869==    at 0x402B06C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==11869==    by 0x4239D0A: standard_free (gmem.c:98)
==11869==    by 0x4239F8F: g_free (gmem.c:252)
==11869==    by 0x4F37A0D: _lm_socket_succeeded (lm-socket.c:415)
==11869==    by 0x4F386E9: socket_connect_cb (lm-socket.c:552)
==11869==    by 0x427417D: g_io_unix_dispatch (giounix.c:166)
==11869==    by 0x4233D85: g_main_context_dispatch (gmain.c:2539)
==11869==    by 0x4234124: g_main_context_iterate.isra.21 (gmain.c:3146)
==11869==    by 0x4234200: g_main_context_iteration (gmain.c:3207)
==11869==    by 0x45204D2: (below main) (libc-start.c:226)

And the backtrace is, as above:

#0  lm_socket_ref (socket=0x1000100000003) at lm-socket.c:1208
#1  0x00007faa7563f6df in socket_connect_cb (source=0x1297750, condition=G_IO_OUT, connect_data=0x1294020) at lm-socket.c:518
#2  0x00007faa77752355 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007faa77752688 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007faa77752744 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x000000000041905c in main ()

Looking at loudmouth's loudmouth/lm-socket.c, it seems clear to me that
socket_connect_cb is called twice with condition G_IO_OUT, while
expecting for this to happen no more than once, so that on the second
invocation, connect_data->socket has already been freed.

As this only happens for me when connecting to a host that resolves to
both ipv4 and ipv6 (for irssi-plugin-xmpp that is: '/xmppconnect -h
localhost <jid>', NOT '/xmppconnect -h 127.0.0.1 <jid>'), I suppose the
GIO watch is triggered once for each protocol version. This may either
be a bug in glib, or needs to be caught in libloudmouth.

Florian

More information about the pkg-gnome-maintainers mailing list