[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] SIGSEGV in scan_cookie_sublist
|
From: |
Thorsten Glaser |
|
Subject: |
Re: [Lynx-dev] SIGSEGV in scan_cookie_sublist |
|
Date: |
Mon, 1 Apr 2013 21:01:07 +0000 (UTC) |
Dixi quod…
>possibly a use-after-free, possibly a corruption).
Definitely use-after-free and on the site that recently
changed their layout visibly (and thus, maybe cookies):
address@hidden:~ $ gdb /usr/bin/lynx lynx.core
GNU gdb 6.3.50.20050707
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "--host=i386-ecce-mirbsd10 --target="...
Core was generated by `lynx'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libz.so.5.3...done.
Loaded symbols for /usr/lib/libz.so.5.3
Reading symbols from /usr/lib/libiconv.so.5.0...done.
Loaded symbols for /usr/lib/libiconv.so.5.0
Reading symbols from /usr/lib/libncurses.so.14.1...done.
Loaded symbols for /usr/lib/libncurses.so.14.1
Reading symbols from /usr/lib/libssl.so.12.0...done.
Loaded symbols for /usr/lib/libssl.so.12.0
Reading symbols from /usr/lib/libcrypto.so.14.1...done.
Loaded symbols for /usr/lib/libcrypto.so.14.1
Reading symbols from /usr/lib/libc.so.41.10...done.
Loaded symbols for /usr/lib/libc.so.41.10
Reading symbols from /usr/libexec/ld.so...done.
Loaded symbols for /usr/libexec/ld.so
#0 scan_cookie_sublist (hostname=0xa68fe080 "www.fanfiction.net",
path=0xa0fc5080 "/s/7680982/10", port=80, sublist=0xa877ffe0, header=0x0,
secure=0)
at /usr/src/gnu/usr.bin/lynx/src/LYCookie.c:726
726 co = (cookie *) hl->object;
(gdb) print hl
$1 = (HTList *) 0xdfdfdfdf
address@hidden:~ $ ll /etc/malloc.conf
lrwxr-xr-x 1 root wheel 1 Dec 31 21:32 /etc/malloc.conf@ -> S
address@hidden:~ $ man malloc.conf
[…]
S Enable all options suitable for security auditing.
[…]
J "Junk". Fill some junk into the area allocated. Currently junk is
bytes of 0xd0 when allocating; this is pronounced "Duh". :-)
Freed chunks are filled with 0xdf.
[…]
(gdb) bt
#0 scan_cookie_sublist (hostname=0xa68fe080 "www.fanfiction.net",
path=0xa0fc5080 "/s/7680982/10", port=80, sublist=0xa877ffe0, header=0x0,
secure=0)
at /usr/src/gnu/usr.bin/lynx/src/LYCookie.c:726
#1 0x1c0794bf in LYAddCookieHeader (hostname=0xa68fe080 "www.fanfiction.net",
path=0xa0fc5080 "/s/7680982/10", port=80, secure=0)
at /usr/src/gnu/usr.bin/lynx/src/LYCookie.c:1886
#2 0x1c08eefd in HTLoadHTTP (arg=0xa53bdb80
"http://www.fanfiction.net/s/7680982/10";,
anAnchor=0xa7656c00, format_out=0xa0f806a0, sink=0x0)
at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c:1360
#3 0x1c08c4c0 in HTLoad (addr=0x9d11f340
"http://www.fanfiction.net/s/7680982/10";,
anchor=0xa7656c00, format_out=0xa0f806a0, sink=0x0)
at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAccess.c:706
#4 0x1c08c90e in HTLoadDocument (
full_address=0x9d11f340 "http://www.fanfiction.net/s/7680982/10";,
anchor=0xa7656c00,
format_out=0xa0f806a0, sink=0x0)
at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAccess.c:941
#5 0x1c08cf15 in HTLoadAbsolute (docaddr=0xcfbf9020)
at /usr/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTAccess.c:1123
#6 0x1c025325 in getfile (doc=0x3c063820, target=0x38)
at /usr/src/gnu/usr.bin/lynx/src/LYGetFile.c:809
#7 0x1c03289b in mainloop () at /usr/src/gnu/usr.bin/lynx/src/LYMainLoop.c:5843
#8 0x1c027a39 in main (argc=1, argv=0xcfbf94dc)
at /usr/src/gnu/usr.bin/lynx/src/LYMain.c:2230