Bug 682569 – gvfsd-http crashes on downloading multiple files

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 682569 - gvfsd-http crashes on downloading multiple files


Summary:	gvfsd-http crashes on downloading multiple files


Status:	RESOLVED FIXED

Product:	libsoup
Classification:	Core
Component:	API
Version:	2.39.x
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	libsoup-maint@gnome.bugs
QA Contact:	libsoup-maint@gnome.bugs

URL:
Whiteboard:

Depends on:
Blocks:	682573

Reported:	2012-08-23 20:03 UTC by Zeeshan Ali
Modified:	2012-08-24 12:33 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Test app to reproduce the issue (913 bytes, application/octet-stream) 2012-08-23 20:03 UTC, Zeeshan Ali		Details
Avoid double free of hash key (1018 bytes, patch) 2012-08-24 11:26 UTC, Alexander Larsson	committed	Details \| Review

Description Zeeshan Ali 2012-08-23 20:03:14 UTC

Created attachment 222256 [details]
Test app to reproduce the issue

I see gvfsd-http crashes on downloading multiple files here. Attaching a test app.

Here is how the backtrace looks like:

Program received signal SIGABRT, Aborted.
0x00000030eaa35925 in raise () from /lib64/libc.so.6
(gdb) thread apply all bt

+ Trace 230731

Comment 1 Alexander Larsson 2012-08-24 11:26:18 UTC

Turns out this is a libsoup bug:

==30406== Invalid read of size 1
==30406==    at 0x5DA5F22: g_ascii_strcasecmp (gstrfuncs.c:1735)
==30406==    by 0x5534958: soup_str_case_equal (soup-misc.c:58)
==30406==    by 0x5D7938D: g_hash_table_lookup (ghash.c:422)
==30406==    by 0x40B30D: file_info_from_message (gvfsbackendhttp.c:561)
==30406==    by 0x40B4B0: query_info_ready (gvfsbackendhttp.c:659)
==30406==    by 0x553FA54: process_queue_item (soup-session-async.c:308)
==30406==    by 0x553FBE9: run_queue (soup-session-async.c:344)
==30406==    by 0x553FCB9: idle_run_queue (soup-session-async.c:377)
==30406==    by 0x5D8910F: g_main_context_dispatch (gmain.c:2707)
==30406==    by 0x5D89467: g_main_context_iterate.isra.24 (gmain.c:3282)
==30406==    by 0x5D89871: g_main_loop_run (gmain.c:3476)
==30406==    by 0x40C0D1: daemon_main (daemon-main.c:395)
==30406==  Address 0x68515f0 is 0 bytes inside a block of size 49 free'd
==30406==    at 0x4A07646: free (vg_replace_malloc.c:446)
==30406==    by 0x5D8EF56: g_free (gmem.c:252)
==30406==    by 0x5D789C8: g_hash_table_insert_node (ghash.c:918)
==30406==    by 0x5D78E43: g_hash_table_insert_internal (ghash.c:1153)
==30406==    by 0x5531D56: soup_message_headers_get_content_disposition (soup-message-headers.c:1306)
==30406==    by 0x40B1C8: file_info_from_message (gvfsbackendhttp.c:558)
==30406==    by 0x40B4B0: query_info_ready (gvfsbackendhttp.c:659)
==30406==    by 0x553FA54: process_queue_item (soup-session-async.c:308)
==30406==    by 0x553FBE9: run_queue (soup-session-async.c:344)
==30406==    by 0x553FCB9: idle_run_queue (soup-session-async.c:377)
==30406==    by 0x5D8910F: g_main_context_dispatch (gmain.c:2707)
==30406==    by 0x5D89467: g_main_context_iterate.isra.24 (gmain.c:3282)

Comment 2 Alexander Larsson 2012-08-24 11:26:38 UTC

Created attachment 222300 [details] [review]
Avoid double free of hash key

When soup_message_headers_get_content_disposition re-inserts the
new filename we need to g_strdup the key or otherwise it will
be freed by the hashtable key destroy func.

Comment 3 Alexander Larsson 2012-08-24 12:33:21 UTC

Attachment 222300 [details] pushed as 2e70097 - Avoid double free of hash key