jami-daemon issues
https://git.jami.net/savoirfairelinux/jami-daemon/-/issues
2023-10-20T14:27:11Z
https://git.jami.net/savoirfairelinux/jami-daemon/-/issues/908
Mute and unmute in swarm group call
2023-10-20T14:27:11Z
Wear Guxj
Mute and unmute in swarm group call
In group swarm call, there are two bugs when muting the microphone. It's the same if only audio or both audio and video. It's been verified with the latest Android client.
1. Alice who initiated the group call needs to click two times...
In group swarm call, there are two bugs when muting the microphone. It's the same if only audio or both audio and video. It's been verified with the latest Android client.
1. Alice who initiated the group call needs to click two times on the mute button before the button is lit and her microphone is actually muted. The first click does nothing.
2. Then when Bob joins the group call, it causes Alice's client to go back from muted to unmuted. This is obviously a privacy problem, but at least the unmute is reflected in Alice's user interface.
Sébastien Blin
Alexander Lussier-Cullen
Sébastien Blin
https://git.jami.net/savoirfairelinux/jami-daemon/-/issues/799
pjsip 2.13 CVE patches can't be applied
2022-12-13T04:02:00Z
linsui
pjsip 2.13 CVE patches can't be applied
There are 3 CVE fixed in pjsip 2.13, see https://github.com/pjsip/pjproject/releases/tag/2.13. I can't apply those patches. Could you please take a look? Thanks!
There are 3 CVE fixed in pjsip 2.13, see https://github.com/pjsip/pjproject/releases/tag/2.13. I can't apply those patches. Could you please take a look? Thanks!
Sébastien Blin
Sébastien Blin
https://git.jami.net/savoirfairelinux/jami-daemon/-/issues/784
pjsip CVE patches can't be applied
2022-12-10T15:05:50Z
linsui
pjsip CVE patches can't be applied
See https://github.com/NixOS/nixpkgs/pull/197782.
https://nvd.nist.gov/vuln/detail/CVE-2022-39269
https://nvd.nist.gov/vuln/detail/CVE-2022-39244
These patches can't be applied to jami's fork of pjsip. Is the fork affected? Could you p...
See https://github.com/NixOS/nixpkgs/pull/197782.
https://nvd.nist.gov/vuln/detail/CVE-2022-39269
https://nvd.nist.gov/vuln/detail/CVE-2022-39244
These patches can't be applied to jami's fork of pjsip. Is the fork affected? Could you please update it? Thanks!
Sébastien Blin
Sébastien Blin
https://git.jami.net/savoirfairelinux/jami-daemon/-/issues/45
heap-use-after-free in PulseLayer::getCaptureDeviceList
2022-11-14T21:52:32Z
Hugo Lefeuvre
heap-use-after-free in PulseLayer::getCaptureDeviceList
**Affects:** latest ring daemon master
PulseLayer::getCaptureDeviceList seems to be affected by a race condition and resulting heap-use-after-free (media/audio/pulseaudio/pulselayer.cpp:242).
**Logs with ASan crash report:**
```
fe38c...
**Affects:** latest ring daemon master
PulseLayer::getCaptureDeviceList seems to be affected by a race condition and resulting heap-use-after-free (media/audio/pulseaudio/pulselayer.cpp:242).
**Logs with ASan crash report:**
```
fe38c3ef98edd87ace33efb3183230194f8fba88
[1536090351.878| 6964|ringaccount.cpp :2591 ] Can't set certificate status for existing contacts 3c2a2fae84be1713e6d68d39360faa7441220c00
[1536090351.882| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.903| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.912| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.922| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.931| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.942| 6964|namedirectory.cpp :66 ] Can't parse URI:
[1536090351.942| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.945| 6964|namedirectory.cpp :66 ] Can't parse URI:
[1536090351.950| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.961| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.968| 6964|manager.cpp :2414 ] Audio manager chosen already in use. No changes made.
[1536090351.968| 6964|configurationmanager.cpp:621 ] Get audio plugin default
[1536090351.970| 6964|pulselayer.cpp :153 ] Waiting....
[1536090351.970| 7013|pulselayer.cpp :153 ] Waiting....
[1536090351.970| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090351.970| 7013|pulselayer.cpp :153 ] Waiting....
[1536090351.971| 7013|pulselayer.cpp :157 ] Connection to PulseAudio server established
[1536090351.971| 7013|pulselayer.cpp :186 ] Updating PulseAudio sink list
[1536090351.971| 7013|pulselayer.cpp :202 ] Updating PulseAudio source list
[1536090351.971| 7013|pulselayer.cpp :218 ] Updating PulseAudio server infos
[1536090351.971| 6964|manager.cpp :2164 ] No audio layer created, possibly built without audio support
=================================================================
==6964==ERROR: AddressSanitizer: heap-use-after-free on address 0x61800001f188 at pc 0x0000008cd866 bp 0x7fff07e3e190 sp 0x7fff07e3e180
READ of size 8 at 0x61800001f188 thread T0
[1536090351.972| 7013|pulselayer.cpp :635 ] PulseAudio server info:
Server name: pulseaudio
Server version: 8.0
Default Sink alsa_output.pci-0000_00_1b.0.analog-stereo
Default Source alsa_input.usb-046d_HD_Pro_Webcam_C920_8A8B667F-02.analog-stereo
Default Sample Specification: s16le 2ch 44100Hz
Default Channel Map: front-left,front-right
[1536090352.012| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.020| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.029| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.039| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
#0 0x8cd865 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_length(unsigned long) /usr/include/c++/5/bits/basic_string.h:131
#1 0x8cd865 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_set_length(unsigned long) /usr/include/c++/5/bits/basic_string.h:164
#2 0x8cd865 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) /usr/include/c++/5/bits/basic_string.tcc:236
#3 0x8cd865 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char*>(char*, char*, std::__false_type) /usr/include/c++/5/bits/basic_string.h:195
#4 0x8cd865 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*) /usr/include/c++/5/bits/basic_string.h:214
#5 0x8cd865 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/basic_string.h:400
#6 0x8cd865 in void __gnu_cxx::new_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::construct<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/ext/new_allocator.h:120
#7 0x8cd865 in void std::allocator_traits<std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::construct<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/alloc_traits.h:530
#8 0x8cd865 in void std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::emplace_back<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/vector.tcc:96
#9 0x8cd865 in ring::PulseLayer::getCaptureDeviceList[abi:cxx11]() const /home/hlefeuvre/Development/ring-daemon/src/media/audio/pulseaudio/pulselayer.cpp:242
[1536090352.048| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.057| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.067| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.076| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.086| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.094| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
[1536090352.102| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
#10 0x6fd2ea in ring::Manager::getAudioInputDeviceList[abi:cxx11]() /home/hlefeuvre/Development/ring-daemon/src/manager.cpp:2223
[1536090352.114| 6985|certstore.cpp :75 ] CertificateStore: loaded 12 local certificates.
#11 0x50acb7 in DRing::getAudioInputDeviceList[abi:cxx11]() /home/hlefeuvre/Development/ring-daemon/src/client/configurationmanager.cpp:578
#12 0x4bf03f in DBusConfigurationManager::getAudioInputDeviceList[abi:cxx11]() /home/hlefeuvre/Development/ring-daemon/bin/dbus/dbusconfigurationmanager.cpp:265
#13 0x4bf03f in cx::ring::Ring::ConfigurationManager_adaptor::_getAudioInputDeviceList_stub(DBus::CallMessage const&) /home/hlefeuvre/Development/ring-daemon/bin/dbus/dbusconfigurationmanager.adaptor.h:1993
#14 0x4b0cb4 in DBus::Callback<cx::ring::Ring::ConfigurationManager_adaptor, DBus::Message, DBus::CallMessage const&>::call(DBus::CallMessage const&) const /home/hlefeuvre/Development/ring-daemon/contrib/x86_64-linux-gnu/include/dbus-c++-1/dbus-c++/util.h:283
#15 0x4e39ee in DBus::Slot<DBus::Message, DBus::CallMessage const&>::call(DBus::CallMessage const&) const (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4e39ee)
#16 0x4e280f in DBus::InterfaceAdaptor::dispatch_method(DBus::CallMessage const&) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4e280f)
#17 0x4ecf1a in DBus::ObjectAdaptor::handle_message(DBus::Message const&) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4ecf1a)
#18 0x4ec491 in DBus::ObjectAdaptor::Private::message_function_stub(DBusConnection*, DBusMessage*, void*) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4ec491)
#19 0x7fb37e9cc812 (/lib/x86_64-linux-gnu/libdbus-1.so.3+0x21812)
#20 0x7fb37e9bdd93 in dbus_connection_dispatch (/lib/x86_64-linux-gnu/libdbus-1.so.3+0x12d93)
#21 0x4d97b1 in DBus::Connection::Private::do_dispatch() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4d97b1)
#22 0x4dd080 in DBus::Dispatcher::dispatch_pending(std::__cxx11::list<DBus::Connection::Private*, std::allocator<DBus::Connection::Private*> >&) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4dd080)
#23 0x4dce7e in DBus::Dispatcher::dispatch_pending() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4dce7e)
#24 0x4e0c0d in DBus::BusDispatcher::do_iteration() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4e0c0d)
#25 0x4e08bb in DBus::BusDispatcher::enter() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x4e08bb)
#26 0x4590a2 in DBusClient::event_loop() /home/hlefeuvre/Development/ring-daemon/bin/dbus/dbusclient.cpp:250
#27 0x45131f in main /home/hlefeuvre/Development/ring-daemon/bin/main.cpp:236
#28 0x7fb37a84482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#29 0x457f18 in _start (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x457f18)
0x61800001f188 is located 264 bytes inside of 896-byte region [0x61800001f080,0x61800001f400)
freed by thread T34 (threaded-ml) here:
#0 0x7fb37ec90b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x8d5953 in __gnu_cxx::new_allocator<ring::PaDeviceInfos>::deallocate(ring::PaDeviceInfos*, unsigned long) /usr/include/c++/5/ext/new_allocator.h:110
#2 0x8d5953 in std::allocator_traits<std::allocator<ring::PaDeviceInfos> >::deallocate(std::allocator<ring::PaDeviceInfos>&, ring::PaDeviceInfos*, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:517
#3 0x8d5953 in std::_Vector_base<ring::PaDeviceInfos, std::allocator<ring::PaDeviceInfos> >::_M_deallocate(ring::PaDeviceInfos*, unsigned long) /usr/include/c++/5/bits/stl_vector.h:178
#4 0x8d5953 in void std::vector<ring::PaDeviceInfos, std::allocator<ring::PaDeviceInfos> >::_M_emplace_back_aux<ring::PaDeviceInfos>(ring::PaDeviceInfos&&) /usr/include/c++/5/bits/vector.tcc:438
previously allocated by thread T34 (threaded-ml) here:
#0 0x7fb37ec90532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x8d4e1b in __gnu_cxx::new_allocator<ring::PaDeviceInfos>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
#2 0x8d4e1b in std::allocator_traits<std::allocator<ring::PaDeviceInfos> >::allocate(std::allocator<ring::PaDeviceInfos>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
#3 0x8d4e1b in std::_Vector_base<ring::PaDeviceInfos, std::allocator<ring::PaDeviceInfos> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
#4 0x8d4e1b in void std::vector<ring::PaDeviceInfos, std::allocator<ring::PaDeviceInfos> >::_M_emplace_back_aux<ring::PaDeviceInfos>(ring::PaDeviceInfos&&) /usr/include/c++/5/bits/vector.tcc:412
#5 0x15aed8f (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x15aed8f)
Thread T34 (threaded-ml) created by T0 here:
#0 0x7fb37ec2d253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7fb37a1e984c in pa_thread_new (/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-8.0.so+0x4f84c)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/5/bits/basic_string.h:131 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_length(unsigned long)
Shadow bytes around the buggy address:
0x0c307fffbde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffbdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffbe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c307fffbe10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c307fffbe30: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c307fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==6964==ABORTING
```
https://git.jami.net/savoirfairelinux/jami-daemon/-/issues/35
heap-use-after-free during exit when video preview is running
2022-11-14T21:52:32Z
Hugo Lefeuvre
heap-use-after-free during exit when video preview is running
**Affects**: latest daemon master
**How to reproduce**:
1. open GNOME client
2. go to settings and then media settings
3. make sure preview runs
4. quit app using "quit" function
The daemon crashes.
I can't reproduce it with `-pcd` bu...
**Affects**: latest daemon master
**How to reproduce**:
1. open GNOME client
2. go to settings and then media settings
3. make sure preview runs
4. quit app using "quit" function
The daemon crashes.
I can't reproduce it with `-pcd` but `-cd` does crash.
**ASan and gdb stacktrace**:
```
=================================================================
==478==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000105fd0 at pc 0x7ffff6ee1676 bp 0x7fffd46c4400 sp 0x7fffd46c3ba8
READ of size 11 at 0x608000105fd0 thread T49
#0 0x7ffff6ee1675 in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x77675)
#1 0x7ffff34a1277 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x121277)
#2 0x475a8a in bool std::operator< <char, std::char_traits<char>, std::allocator<char> >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/basic_string.h:4989
#3 0x462a60 in std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::operator()(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const /usr/include/c++/5/bits/stl_function.h:387
#4 0x4c413b in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_lower_bound(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/stl_tree.h:1628
#5 0x4c3694 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::lower_bound(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/stl_tree.h:1091
#6 0x4c2f62 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::lower_bound(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/5/bits/stl_map.h:916
#7 0x521844 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::operator[](std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&) /usr/include/c++/5/bits/stl_map.h:499
#8 0x7da690 in ring::Smartools::setResolution(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int) /home/hlefeuvre/Development/ring-daemon/src/smartools.cpp:100
#9 0x9853a9 in ring::video::SinkClient::update(ring::video::Observable<std::shared_ptr<ring::VideoFrame> >*, std::shared_ptr<ring::VideoFrame> const&) /home/hlefeuvre/Development/ring-daemon/src/media/video/sinkclient.cpp:337
#10 0x71570e in ring::video::Observable<std::shared_ptr<ring::VideoFrame> >::notify(std::shared_ptr<ring::VideoFrame>) /home/hlefeuvre/Development/ring-daemon/src/media/video/video_base.h:97
#11 0x71345c in ring::video::VideoGenerator::publishFrame() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_base.cpp:50
#12 0x72c859 in ring::video::VideoInput::captureFrame() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_input.cpp:249
#13 0x72bf6d in ring::video::VideoInput::process() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_input.cpp:162
#14 0x734c5d in void std::_Mem_fn_base<void (ring::video::VideoInput::*)(), true>::operator()<, void>(ring::video::VideoInput*) const /usr/include/c++/5/functional:600
#15 0x733c34 in void std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/include/c++/5/functional:1074
#16 0x732d86 in void std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::operator()<, void>() /usr/include/c++/5/functional:1133
#17 0x731e1e in std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)> >::_M_invoke(std::_Any_data const&) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x731e1e)
#18 0x4638a3 in std::function<void ()>::operator()() const /usr/include/c++/5/functional:2267
#19 0x7b0ee3 in ring::ThreadLoop::mainloop(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>) /home/hlefeuvre/Development/ring-daemon/src/threadloop.cpp:38
#20 0x7b4b3f in void std::_Mem_fn_base<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>), true>::operator()<std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>, void>(ring::ThreadLoop*, std::reference_wrapper<std::thread::id>&&, std::function<bool ()>&&, std::function<void ()>&&, std::function<void ()>&&) const (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4b3f)
#21 0x7b4874 in void std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)>::_M_invoke<0ul, 1ul, 2ul, 3ul, 4ul>(std::_Index_tuple<0ul, 1ul, 2ul, 3ul, 4ul>) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4874)
#22 0x7b45d9 in std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)>::operator()() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b45d9)
#23 0x7b4569 in std::thread::_Impl<std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> >::_M_run() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4569)
#24 0x7ffff3438c7f (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8c7f)
#25 0x7ffff49196b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#26 0x7ffff2b9e41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x608000105fd0 is located 48 bytes inside of 96-byte region [0x608000105fa0,0x608000106000)
freed by thread T0 here:
#0 0x7ffff6f03b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x4bc9f7 in __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::deallocate(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, unsigned long) /usr/include/c++/5/ext/new_allocator.h:110
#2 0x4bc938 in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::deallocate(std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:517
#3 0x4bc87e in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_put_node(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*) /usr/include/c++/5/bits/stl_tree.h:495
#4 0x4bc719 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_drop_node(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*) /usr/include/c++/5/bits/stl_tree.h:562
#5 0x4bc3fb in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_erase(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*) /usr/include/c++/5/bits/stl_tree.h:1614
#6 0x4bc203 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::~_Rb_tree() /usr/include/c++/5/bits/stl_tree.h:858
#7 0x4bbd35 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::~map() /usr/include/c++/5/bits/stl_map.h:96
#8 0x7d9ddf in ring::Smartools::~Smartools() /home/hlefeuvre/Development/ring-daemon/src/smartools.cpp:42
#9 0x7ffff2ad0ff7 (/lib/x86_64-linux-gnu/libc.so.6+0x39ff7)
previously allocated by thread T49 here:
#0 0x7ffff6f03532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x4c4cc9 in __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
#2 0x4c4a5b in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::allocate(std::allocator<std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
#3 0x4c41c0 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_get_node() /usr/include/c++/5/bits/stl_tree.h:491
#4 0x5226b8 in std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >* std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_create_node<std::piecewise_construct_t const&, std::tuple<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&>, std::tuple<> >(std::piecewise_construct_t const&, std::tuple<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&>&&, std::tuple<>&&) /usr/include/c++/5/bits/stl_tree.h:545
#5 0x5221e7 in std::_Rb_tree_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_emplace_hint_unique<std::piecewise_construct_t const&, std::tuple<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&>, std::tuple<> >(std::_Rb_tree_const_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::piecewise_construct_t const&, std::tuple<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&>&&, std::tuple<>&&) /usr/include/c++/5/bits/stl_tree.h:2170
#6 0x521951 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::operator[](std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&) /usr/include/c++/5/bits/stl_map.h:502
#7 0x7da730 in ring::Smartools::setResolution(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int) /home/hlefeuvre/Development/ring-daemon/src/smartools.cpp:101
#8 0x9853a9 in ring::video::SinkClient::update(ring::video::Observable<std::shared_ptr<ring::VideoFrame> >*, std::shared_ptr<ring::VideoFrame> const&) /home/hlefeuvre/Development/ring-daemon/src/media/video/sinkclient.cpp:337
#9 0x71570e in ring::video::Observable<std::shared_ptr<ring::VideoFrame> >::notify(std::shared_ptr<ring::VideoFrame>) /home/hlefeuvre/Development/ring-daemon/src/media/video/video_base.h:97
#10 0x71345c in ring::video::VideoGenerator::publishFrame() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_base.cpp:50
#11 0x72c859 in ring::video::VideoInput::captureFrame() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_input.cpp:249
#12 0x72bf6d in ring::video::VideoInput::process() /home/hlefeuvre/Development/ring-daemon/src/media/video/video_input.cpp:162
#13 0x734c5d in void std::_Mem_fn_base<void (ring::video::VideoInput::*)(), true>::operator()<, void>(ring::video::VideoInput*) const /usr/include/c++/5/functional:600
#14 0x733c34 in void std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) /usr/include/c++/5/functional:1074
#15 0x732d86 in void std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::operator()<, void>() /usr/include/c++/5/functional:1133
#16 0x731e1e in std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)> >::_M_invoke(std::_Any_data const&) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x731e1e)
#17 0x4638a3 in std::function<void ()>::operator()() const /usr/include/c++/5/functional:2267
#18 0x7b0ee3 in ring::ThreadLoop::mainloop(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>) /home/hlefeuvre/Development/ring-daemon/src/threadloop.cpp:38
#19 0x7b4b3f in void std::_Mem_fn_base<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>), true>::operator()<std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>, void>(ring::ThreadLoop*, std::reference_wrapper<std::thread::id>&&, std::function<bool ()>&&, std::function<void ()>&&, std::function<void ()>&&) const (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4b3f)
#20 0x7b4874 in void std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)>::_M_invoke<0ul, 1ul, 2ul, 3ul, 4ul>(std::_Index_tuple<0ul, 1ul, 2ul, 3ul, 4ul>) (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4874)
#21 0x7b45d9 in std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)>::operator()() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b45d9)
#22 0x7b4569 in std::thread::_Impl<std::_Bind_simple<std::_Mem_fn<void (ring::ThreadLoop::*)(std::thread::id&, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> (ring::ThreadLoop*, std::reference_wrapper<std::thread::id>, std::function<bool ()>, std::function<void ()>, std::function<void ()>)> >::_M_run() (/home/hlefeuvre/Development/ring-daemon/bin/dring+0x7b4569)
#23 0x7ffff3438c7f (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8c7f)
Thread T49 created by T0 here:
#0 0x7ffff6ea0253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7ffff3438dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 memcmp
Shadow bytes around the buggy address:
0x0c1080018ba0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1080018bb0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1080018bc0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1080018bd0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1080018be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1080018bf0: fa fa fa fa fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c1080018c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1080018c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1080018c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1080018c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1080018c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==478==ABORTING
Thread 50 "dring" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffd46c8700 (LWP 601)]
0x00007ffff2acc428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff2acc428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff2ace02a in __GI_abort () at abort.c:89
#2 0x00007ffff6f17d99 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#3 0x00007ffff6f0a769 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#4 0x00007ffff6f0f5a2 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#5 0x00007ffff6f096e6 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#6 0x00007ffff6ee1691 in memcmp () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#7 0x00007ffff34a1278 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#8 0x0000000000475a8b in std::operator< <char, std::char_traits<char>, std::allocator<char> > (__lhs="local height", __rhs="local width") at /usr/include/c++/5/bits/basic_string.h:4989
#9 0x0000000000462a61 in std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::operator() (this=0x1f41100 <ring::Smartools::getInstance()::instance_>,
__x="local height", __y="local width") at /usr/include/c++/5/bits/stl_function.h:387
#10 0x00000000004c413c in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::_M_lower_bound (this=0x1f41100 <ring::Smartools::getInstance()::instance_>, __x=0x608000105fa0, __y=0x1f41108 <ring::Smartools::getInstance()::instance_+8>, __k="local width")
at /usr/include/c++/5/bits/stl_tree.h:1628
#11 0x00000000004c3695 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::lower_bound
(this=0x1f41100 <ring::Smartools::getInstance()::instance_>, __k="local width") at /usr/include/c++/5/bits/stl_tree.h:1091
#12 0x00000000004c2f63 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::lower_bound (this=0x1f41100 <ring::Smartools::getInstance()::instance_>, __x="local width")
at /usr/include/c++/5/bits/stl_map.h:916
#13 0x0000000000521845 in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >::operator[](std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&) (
this=0x1f41100 <ring::Smartools::getInstance()::instance_>, __k=<unknown type in /home/hlefeuvre/Development/ring-daemon/bin/dring, CU 0x19c75c, DIE 0x1b821d>)
at /usr/include/c++/5/bits/stl_map.h:499
#14 0x00000000007da691 in ring::Smartools::setResolution (this=0x1f41100 <ring::Smartools::getInstance()::instance_>, id="local", width=1280, height=720) at smartools.cpp:100
#15 0x00000000009853aa in ring::video::SinkClient::update (this=0x60f000044c00, frame_p=std::shared_ptr (count 2, weak 0) 0x607000120050) at sinkclient.cpp:337
#16 0x000000000071570f in ring::video::Observable<std::shared_ptr<ring::VideoFrame> >::notify (this=0x617000056010, data=std::shared_ptr (count 2, weak 0) 0x607000120050) at video_base.h:97
#17 0x000000000071345d in ring::video::VideoGenerator::publishFrame (this=0x617000056010) at video_base.cpp:50
#18 0x000000000072c85a in ring::video::VideoInput::captureFrame (this=0x617000056010) at video_input.cpp:249
#19 0x000000000072bf6e in ring::video::VideoInput::process (this=0x617000056010) at video_input.cpp:162
#20 0x0000000000734c5e in std::_Mem_fn_base<void (ring::video::VideoInput::*)(), true>::operator()<, void>(ring::video::VideoInput*) const (this=0x6030008d4150, __object=0x617000056010)
at /usr/include/c++/5/functional:600
#21 0x0000000000733c35 in std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) (this=0x6030008d4150,
__args=<unknown type in /home/hlefeuvre/Development/ring-daemon/bin/dring, CU 0x75e7bf, DIE 0x79c8c4>) at /usr/include/c++/5/functional:1074
#22 0x0000000000732d87 in std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)>::operator()<, void>() (this=0x6030008d4150) at /usr/include/c++/5/functional:1133
#23 0x0000000000731e1f in std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (ring::video::VideoInput::*)()> (ring::video::VideoInput*)> >::_M_invoke(std::_Any_data const&) (__functor=...)
at /usr/include/c++/5/functional:1871
```
This is CWE-416 but security implications are negligible IMO.
Hugo Lefeuvre
Hugo Lefeuvre
https://git.jami.net/savoirfairelinux/jami-daemon/-/issues/20
heap-use-after-free when canceling file transfer
2022-11-14T21:52:31Z
Hugo Lefeuvre
heap-use-after-free when canceling file transfer
**Affects**: latest daemon master & earlier. Built with `-O0 -g -fsanitize=address`.
**How to reproduce**: Cancel a file transfer while the file is being sent. While it does not always happen, I managed to reproduce it twice.
**ASAN st...
**Affects**: latest daemon master & earlier. Built with `-O0 -g -fsanitize=address`.
**How to reproduce**: Cancel a file transfer while the file is being sent. While it does not always happen, I managed to reproduce it twice.
**ASAN stacktrace no. 1**:
```
[1531169668.821|19662|ringaccount.cpp :3274 ] [Account 9fba7138a1fc3f51] found 0 devices for e6b11a4a3406609c079dcba364b199eac72f0882
[1531169668.821|19662|p2p.cpp :780 ] 0x62300000e110[CNX] aborted, no devices for e6b11a4a3406609c079dcba364b199eac72f0882
[1531169689.507|20021|p2p.cpp :316 ] [Account 9fba7138a1fc3f51] [CNX] request connection to e6b11a4a3406609c079dcba364b199eac72f0882
[1531169689.944|19677|p2p.cpp :585 ] [Account 9fba7138a1fc3f51] [CNX] rx DHT reply from e6b11a4a3406609c079dcba364b199eac72f0882
[1531169689.951|20021|p2p.cpp :342 ] [Account 9fba7138a1fc3f51] [CNX] connecting to TURN relay 158.69.203.51:19418
[1531169689.953|20021|p2p.cpp :354 ] [Account 9fba7138a1fc3f51] [CNX] start TLS session
[1531169689.954|20025|tls_session.cpp :738 ] [TLS] Start client session
[1531169689.970|20025|tls_session.cpp :446 ] [TLS] User identity loaded
[1531169689.970|20025|tls_session.cpp :833 ] [TLS] handshake
[1531169690.395|20025|tls_session.cpp :860 ] [TLS] session established: (TLS1.2)-(ANON-DH)-(AES-256-GCM)
[1531169690.395|20025|tls_session.cpp :866 ] [TLS] renogotiate with certificate authentification
[1531169690.395|20025|tls_session.cpp :833 ] [TLS] handshake
[1531169690.707|20025|tls_session.cpp :860 ] [TLS] session established: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA384)-(AES-256-GCM)
[1531169690.720|20026|peer_connection.cpp:540 ] [CNX] Peer connection to e6b11a4a3406609c079dcba364b199eac72f0882 ready
[1531169691.014|19662|ringaccount.cpp :2014 ] Buddy 60ba2209df97e8f6546f9cbb5b12ad08dbff7c4d online: (device: e6b11a4a3406609c079dcba364b199eac72f0882)
[1531169691.014|19662|ringaccount.cpp :3274 ] [Account 9fba7138a1fc3f51] found 1 devices for 60ba2209df97e8f6546f9cbb5b12ad08dbff7c4d
=================================================================
==19662==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500643c100 at pc 0x7f1b422bfe55 bp 0x7f1b2d68ad10 sp 0x7f1b2d68a4b8
WRITE of size 8191 at 0x62500643c100 thread T67
#0 0x7f1b422bfe54 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45e54)
#1 0x7f1b3f800216 in std::__basic_file<char>::xsgetn(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb0216)
#2 0x7f1b3f83b2e5 in std::basic_filebuf<char, std::char_traits<char> >::underflow() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xeb2e5)
#3 0x7f1b3f86dfec in std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x11dfec)
#4 0x7f1b3f83ac7d in std::basic_filebuf<char, std::char_traits<char> >::xsgetn(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xeac7d)
#5 0x7f1b3f8478ea in std::istream::read(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xf78ea)
#6 0x7f1b405b3964 in ring::SubOutgoingFileTransfer::read(std::vector<unsigned char, std::allocator<unsigned char> >&) const /home/hlefeuvre/Development/ring-daemon/src/data_transfer.cpp:339
#7 0x7f1b405938ae in _ZZN4ring14PeerConnection18PeerConnectionImpl9eventLoopEvENKUlRT_E_clISt10shared_ptrINS_6StreamEEEEDaS3_ (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xac18ae)
#8 0x7f1b405940b8 in handle_stream_list<std::vector<std::shared_ptr<ring::Stream> >, ring::PeerConnection::PeerConnectionImpl::eventLoop()::<lambda(auto:1&)> > /home/hlefeuvre/Development/ring-daemon/src/peer_connection.cpp:521
#9 0x7f1b40592409 in ring::PeerConnection::PeerConnectionImpl::eventLoop() /home/hlefeuvre/Development/ring-daemon/src/peer_connection.cpp:625
#10 0x7f1b4059e0c1 in ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1}::operator()() const /home/hlefeuvre/Development/ring-daemon/src/peer_connection.cpp:477
#11 0x7f1b405afa0d in void std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadda0d)
#12 0x7f1b405af8d9 in std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>::operator()() (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadd8d9)
#13 0x7f1b405af4ba in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::operator()() const (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadd4ba)
#14 0x7f1b405af04d in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void> >::_M_invoke(std::_Any_data const&) (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadd04d)
#15 0x7f1b4059f1d7 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/include/c++/5/functional:2267
#16 0x7f1b4059d48c in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/include/c++/5/future:527
#17 0x7f1b405a9e5a in void std::_Mem_fn_base<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), true>::operator()<std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*, void>(std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) const /usr/include/c++/5/functional:600
#18 0x7f1b405a88e6 in void std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1531
#19 0x7f1b405a5fdd in std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::operator()() /usr/include/c++/5/functional:1520
#20 0x7f1b405a240e in void std::__once_call_impl<std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> >() /usr/include/c++/5/mutex:706
#21 0x7f1b3f32ba98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)
#22 0x7f1b4058ead9 in __gthread_once /usr/include/x86_64-linux-gnu/c++/5/bits/gthr-default.h:699
#23 0x7f1b4059efc6 in void std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*>(std::once_flag&, void (std::__future_base::_State_baseV2::*&&)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*&&, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) /usr/include/c++/5/mutex:738
#24 0x7f1b4059cec3 in std::__future_base::_State_baseV2::_M_set_result(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>, bool) /usr/include/c++/5/future:387
#25 0x7f1b405ae61f in std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1}::operator()() const /usr/include/c++/5/future:1658
#26 0x7f1b405b1a83 in void std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadfa83)
#27 0x7f1b405b1879 in std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1} ()>::operator()() /usr/include/c++/5/functional:1520
#28 0x7f1b405b0953 in std::thread::_Impl<std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<[1531169668.821|19662|ringaccount.cpp :3274 ] [Account 9fba7138a1fc3f51] found 0 devices for e6b11a4a3406609c079dcba364b199eac72f0882
[1531169668.821|19662|p2p.cpp :780 ] 0x62300000e110[CNX] aborted, no devices for e6b11a4a3406609c079dcba364b199eac72f0882
[1531169689.507|20021|p2p.cpp :316 ] [Account 9fba7138a1fc3f51] [CNX] request connection to e6b11a4a3406609c079dcba364b199eac72f0882
[1531169689.944|19677|p2p.cpp :585 ] [Account 9fba7138a1fc3f51] [CNX] rx DHT reply from e6b11a4a3406609c079dcba364b199eac72f0882
[1531169689.951|20021|p2p.cpp :342 ] [Account 9fba7138a1fc3f51] [CNX] connecting to TURN relay 158.69.203.51:19418
[1531169689.953|20021|p2p.cpp :354 ] [Account 9fba7138a1fc3f51] [CNX] start TLS session
[1531169689.954|20025|tls_session.cpp :738 ] [TLS] Start client session
[1531169689.970|20025|tls_session.cpp :446 ] [TLS] User identity loaded
[1531169689.970|20025|tls_session.cpp :833 ] [TLS] handshake
[1531169690.395|20025|tls_session.cpp :860 ] [TLS] session established: (TLS1.2)-(ANON-DH)-(AES-256-GCM)
[1531169690.395|20025|tls_session.cpp :866 ] [TLS] renogotiate with certificate authentification
[1531169690.395|20025|tls_session.cpp :833 ] [TLS] handshake
[1531169690.707|20025|tls_session.cpp :860 ] [TLS] session established: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA384)-(AES-256-GCM)
[1531169690.720|20026|peer_connection.cpp:540 ] [CNX] Peer connection to e6b11a4a3406609c079dcba364b199eac72f0882 ready
[1531169691.014|19662|ringaccount.cpp :2014 ] Buddy 60ba2209df97e8f6546f9cbb5b12ad08dbff7c4d online: (device: e6b11a4a3406609c079dcba364b199eac72f0882)
[1531169691.014|19662|ringaccount.cpp :3274 ] [Account 9fba7138a1fc3f51] found 1 devices for 60ba2209df97e8f6546f9cbb5b12ad08dbff7c4d
=================================================================
==19662==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500643c100 at pc 0x7f1b422bfe55 bp 0x7f1b2d68ad10 sp 0x7f1b2d68a4b8
WRITE of size 8191 at 0x62500643c100 thread T67
#0 0x7f1b422bfe54 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45e54)
#1 0x7f1b3f800216 in std::__basic_file<char>::xsgetn(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb0216)
#2 0x7f1b3f83b2e5 in std::basic_filebuf<char, std::char_traits<char> >::underflow() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xeb2e5)
#3 0x7f1b3f86dfec in std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x11dfec)
#4 0x7f1b3f83ac7d in std::basic_filebuf<char, std::char_traits<char> >::xsgetn(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xeac7d)
#5 0x7f1b3f8478ea in std::istream::read(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xf78ea)
#6 0x7f1b405b3964 in ring::SubOutgoingFileTransfer::read(std::vector<unsigned char, std::allocator<unsigned char> >&) const /home/hlefeuvre/Development/ring-daemon/src/data_transfer.cpp:339
#7 0x7f1b405938ae in _ZZN4ring14PeerConnection18PeerConnectionImpl9eventLoopEvENKUlRT_E_clISt10shared_ptrINS_6StreamEEEEDaS3_ (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xac18ae)
#8 0x7f1b405940b8 in handle_stream_list<std::vector<std::shared_ptr<ring::Stream> >, ring::PeerConnection::PeerConnectionImpl::eventLoop()::<lambda(auto:1&)> > /home/hlefeuvre/Development/ring-daemon/src/peer_connection.cpp:521
#9 0x7f1b40592409 in ring::PeerConnection::PeerConnectionImpl::eventLoop() /home/hlefeuvre/Development/ring-daemon/src/peer_connection.cpp:625
#10 0x7f1b4059e0c1 in ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1}::operator()() const /home/hlefeuvre/Development/ring-daemon/src/peer_connection.cpp:477
#11 0x7f1b405afa0d in void std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadda0d)
#12 0x7f1b405af8d9 in std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>::operator()() (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadd8d9)
#13 0x7f1b405af4ba in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::operator()() const (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadd4ba)
#14 0x7f1b405af04d in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void> >::_M_invoke(std::_Any_data const&) (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadd04d)
#15 0x7f1b4059f1d7 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/include/c++/5/functional:2267
#16 0x7f1b4059d48c in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/include/c++/5/future:527
#17 0x7f1b405a9e5a in void std::_Mem_fn_base<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), true>::operator()<std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*, void>(std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) const /usr/include/c++/5/functional:600
#18 0x7f1b405a88e6 in void std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1531
#19 0x7f1b405a5fdd in std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::operator()() /usr/include/c++/5/functional:1520
#20 0x7f1b405a240e in void std::__once_call_impl<std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> >() /usr/include/c++/5/mutex:706
#21 0x7f1b3f32ba98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)
#22 0x7f1b4058ead9 in __gthread_once /usr/include/x86_64-linux-gnu/c++/5/bits/gthr-default.h:699
#23 0x7f1b4059efc6 in void std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*>(std::once_flag&, void (std::__future_base::_State_baseV2::*&&)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*&&, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) /usr/include/c++/5/mutex:738
#24 0x7f1b4059cec3 in std::__future_base::_State_baseV2::_M_set_result(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>, bool) /usr/include/c++/5/future:387
#25 0x7f1b405ae61f in std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1}::operator()() const /usr/include/c++/5/future:1658
#26 0x7f1b405b1a83 in void std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadfa83)
#27 0x7f1b405b1879 in std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1} ()>::operator()() /usr/include/c++/5/functional:1520
#28 0x7f1b405b0953 in std::thread::_Impl<std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1} ()> >::_M_run() (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xade953)
#29 0x7f1b3f808c7f (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8c7f)
#30 0x7f1b3f3246b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#31 0x7f1b3f05a41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x62500643c100 is located 0 bytes inside of 8192-byte region [0x62500643c100,0x62500643e100)
freed by thread T0 here:
#0 0x7f1b42313caa in operator delete[](void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99caa)
#1 0x7f1b3f83c49d in std::basic_filebuf<char, std::char_traits<char> >::_M_destroy_internal_buffer() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xec49d)
previously allocated by thread T65 here:
#0 0x7f1b423136b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x7f1b3f83c467 in std::basic_filebuf<char, std::char_traits<char> >::_M_allocate_internal_buffer() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xec467)
Thread T67 created by T65 here:
#0 0x7f1b422b0253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7f1b3f808dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
Thread T65 created by T2 here:
#0 0x7f1b422b0253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7f1b3f808dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
Thread T2 created by T0 here:
#0 0x7f1b422b0253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7f1b3f808dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c4a80c7f7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80c7f7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80c7f7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80c7f800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80c7f810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a80c7f820:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80c7f830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80c7f840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80c7f850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80c7f860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80c7f870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==19662==ABORTINGchar, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1} ()> >::_M_run() (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xade953)
#29 0x7f1b3f808c7f (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8c7f)
#30 0x7f1b3f3246b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#31 0x7f1b3f05a41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x62500643c100 is located 0 bytes inside of 8192-byte region [0x62500643c100,0x62500643e100)
freed by thread T0 here:
#0 0x7f1b42313caa in operator delete[](void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99caa)
#1 0x7f1b3f83c49d in std::basic_filebuf<char, std::char_traits<char> >::_M_destroy_internal_buffer() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xec49d)
previously allocated by thread T65 here:
#0 0x7f1b423136b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x7f1b3f83c467 in std::basic_filebuf<char, std::char_traits<char> >::_M_allocate_internal_buffer() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xec467)
Thread T67 created by T65 here:
#0 0x7f1b422b0253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7f1b3f808dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
Thread T65 created by T2 here:
#0 0x7f1b422b0253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7f1b3f808dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
Thread T2 created by T0 here:
#0 0x7f1b422b0253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7f1b3f808dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c4a80c7f7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80c7f7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80c7f7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80c7f800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a80c7f810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a80c7f820:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80c7f830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80c7f840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80c7f850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80c7f860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a80c7f870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==19662==ABORTING
```
**ASAN stacktrace no. 2**:
```
[1531170202.639|20292|ringaccount.cpp :3274 ] [Account 9fba7138a1fc3f51] found 0 devices for e6b11a4a3406609c079dcba364b199eac72f0882
[1531170202.640|20292|p2p.cpp :780 ] 0x62300000e110[CNX] aborted, no devices for e6b11a4a3406609c079dcba364b199eac72f0882
[1531170213.541|20605|p2p.cpp :316 ] [Account 9fba7138a1fc3f51] [CNX] request connection to e6b11a4a3406609c079dcba364b199eac72f0882
[1531170213.959|20307|p2p.cpp :585 ] [Account 9fba7138a1fc3f51] [CNX] rx DHT reply from e6b11a4a3406609c079dcba364b199eac72f0882
[1531170213.965|20605|p2p.cpp :342 ] [Account 9fba7138a1fc3f51] [CNX] connecting to TURN relay 158.69.203.51:19418
[1531170213.968|20605|p2p.cpp :354 ] [Account 9fba7138a1fc3f51] [CNX] start TLS session
[1531170213.968|20606|tls_session.cpp :738 ] [TLS] Start client session
[1531170213.982|20606|tls_session.cpp :446 ] [TLS] User identity loaded
[1531170213.982|20606|tls_session.cpp :833 ] [TLS] handshake
[1531170214.404|20292|ringaccount.cpp :2014 ] Buddy 60ba2209df97e8f6546f9cbb5b12ad08dbff7c4d online: (device: e6b11a4a3406609c079dcba364b199eac72f0882)
[1531170214.404|20292|ringaccount.cpp :3274 ] [Account 9fba7138a1fc3f51] found 1 devices for 60ba2209df97e8f6546f9cbb5b12ad08dbff7c4d
[1531170214.412|20606|tls_session.cpp :860 ] [TLS] session established: (TLS1.2)-(ANON-DH)-(AES-256-GCM)
[1531170214.412|20606|tls_session.cpp :866 ] [TLS] renogotiate with certificate authentification
[1531170214.412|20606|tls_session.cpp :833 ] [TLS] handshake
[1531170214.727|20606|tls_session.cpp :860 ] [TLS] session established: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA384)-(AES-256-GCM)
[1531170214.746|20607|peer_connection.cpp:540 ] [CNX] Peer connection to e6b11a4a3406609c079dcba364b199eac72f0882 ready
=================================================================
==20292==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500817e100 at pc 0x7fb0cc92fe55 bp 0x7fb0b8cdfd10 sp 0x7fb0b8cdf4b8
WRITE of size 8191 at 0x62500817e100 thread T73
#0 0x7fb0cc92fe54 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45e54)
#1 0x7fb0c9e70216 in std::__basic_file<char>::xsgetn(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb0216)
#2 0x7fb0c9eab2e5 in std::basic_filebuf<char, std::char_traits<char> >::underflow() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xeb2e5)
#3 0x7fb0c9eddfec in std::basic_streambuf<char, std::char_traits<char> >::xsgetn(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x11dfec)
#4 0x7fb0c9eaac7d in std::basic_filebuf<char, std::char_traits<char> >::xsgetn(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xeac7d)
#5 0x7fb0c9eb78ea in std::istream::read(char*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xf78ea)
#6 0x7fb0cac23964 in ring::SubOutgoingFileTransfer::read(std::vector<unsigned char, std::allocator<unsigned char> >&) const /home/hlefeuvre/Development/ring-daemon/src/data_transfer.cpp:339
#7 0x7fb0cac038ae in _ZZN4ring14PeerConnection18PeerConnectionImpl9eventLoopEvENKUlRT_E_clISt10shared_ptrINS_6StreamEEEEDaS3_ (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xac18ae)
#8 0x7fb0cac040b8 in handle_stream_list<std::vector<std::shared_ptr<ring::Stream> >, ring::PeerConnection::PeerConnectionImpl::eventLoop()::<lambda(auto:1&)> > /home/hlefeuvre/Development/ring-daemon/src/peer_connection.cpp:521
#9 0x7fb0cac02409 in ring::PeerConnection::PeerConnectionImpl::eventLoop() /home/hlefeuvre/Development/ring-daemon/src/peer_connection.cpp:625
#10 0x7fb0cac0e0c1 in ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1}::operator()() const /home/hlefeuvre/Development/ring-daemon/src/peer_connection.cpp:477
#11 0x7fb0cac1fa0d in void std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadda0d)
#12 0x7fb0cac1f8d9 in std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>::operator()() (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadd8d9)
#13 0x7fb0cac1f4ba in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::operator()() const (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadd4ba)
#14 0x7fb0cac1f04d in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void> >::_M_invoke(std::_Any_data const&) (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadd04d)
#15 0x7fb0cac0f1d7 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/include/c++/5/functional:2267
#16 0x7fb0cac0d48c in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/include/c++/5/future:527
#17 0x7fb0cac19e5a in void std::_Mem_fn_base<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), true>::operator()<std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*, void>(std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) const /usr/include/c++/5/functional:600
#18 0x7fb0cac188e6 in void std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1531
#19 0x7fb0cac15fdd in std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::operator()() /usr/include/c++/5/functional:1520
#20 0x7fb0cac1240e in void std::__once_call_impl<std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> >() /usr/include/c++/5/mutex:706
#21 0x7fb0c999ba98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)
#22 0x7fb0cabfead9 in __gthread_once /usr/include/x86_64-linux-gnu/c++/5/bits/gthr-default.h:699
#23 0x7fb0cac0efc6 in void std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*>(std::once_flag&, void (std::__future_base::_State_baseV2::*&&)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*&&, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) /usr/include/c++/5/mutex:738
#24 0x7fb0cac0cec3 in std::__future_base::_State_baseV2::_M_set_result(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>, bool) /usr/include/c++/5/future:387
#25 0x7fb0cac1e61f in std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1}::operator()() const /usr/include/c++/5/future:1658
#26 0x7fb0cac21a83 in void std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xadfa83)
#27 0x7fb0cac21879 in std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1} ()>::operator()() /usr/include/c++/5/functional:1520
#28 0x7fb0cac20953 in std::thread::_Impl<std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} ()>, void>::_Async_state_impl(ring::PeerConnection::PeerConnectionImpl::PeerConnectionImpl(std::function<void ()>&&, ring::Account&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::unique_ptr<ring::GenericSocket<unsigned char>, std::default_delete<ring::GenericSocket<unsigned char> > >)::{lambda()#1} (&&)())::{lambda()#1} ()> >::_M_run() (/home/hlefeuvre/Development/ring-daemon/src/.libs/libring.so.0+0xade953)
#29 0x7fb0c9e78c7f (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8c7f)
#30 0x7fb0c99946b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#31 0x7fb0c96ca41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x62500817e100 is located 0 bytes inside of 8192-byte region [0x62500817e100,0x625008180100)
freed by thread T0 here:
#0 0x7fb0cc983caa in operator delete[](void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99caa)
#1 0x7fb0c9eac49d in std::basic_filebuf<char, std::char_traits<char> >::_M_destroy_internal_buffer() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xec49d)
previously allocated by thread T71 here:
#0 0x7fb0cc9836b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x7fb0c9eac467 in std::basic_filebuf<char, std::char_traits<char> >::_M_allocate_internal_buffer() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xec467)
Thread T73 created by T71 here:
#0 0x7fb0cc920253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7fb0c9e78dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
Thread T71 created by T2 here:
#0 0x7fb0cc920253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7fb0c9e78dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
Thread T2 created by T0 here:
#0 0x7fb0cc920253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7fb0c9e78dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c4a81027bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a81027be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a81027bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a81027c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a81027c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a81027c20:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a81027c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a81027c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a81027c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a81027c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a81027c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==20292==ABORTING
```
This bug has potential security implications (CWE-416).
Gnome 2018.07.15
Sébastien Blin
Sébastien Blin
https://git.jami.net/savoirfairelinux/jami-daemon/-/issues/18
heap-buffer-overflow (OOB read) in msgData
2022-11-14T21:52:31Z
Hugo Lefeuvre
heap-buffer-overflow (OOB read) in msgData
**Affected**: latest daemon master & earlier. Built with `-O0 -g -fsanitize=address`
**How to reproduce**: Don't know, crash happened in background
**ASAN stacktrace**:
```
[1530642849.947|14374|ringaccount.cpp :3274 ] [Account 9fba...
**Affected**: latest daemon master & earlier. Built with `-O0 -g -fsanitize=address`
**How to reproduce**: Don't know, crash happened in background
**ASAN stacktrace**:
```
[1530642849.947|14374|ringaccount.cpp :3274 ] [Account 9fba7138a1fc3f51] found 1 devices for dfbf26a7e179df1c820b6228337b87387aa18461
[1530642850.099|14374|ringaccount.cpp :2014 ] Buddy ded6a9d278d05adac3265a0a69d07bd264e0861a online: (device: 8cab8a934b6fa5965e7c6924afb9a3487751045a)
[1530642850.099|14374|ringaccount.cpp :3274 ] [Account 9fba7138a1fc3f51] found 1 devices for ded6a9d278d05adac3265a0a69d07bd264e0861a
[1530643018.062|20911|p2p.cpp :316 ] [Account 9fba7138a1fc3f51] [CNX] request connection to 59e730f3484cd99742ad4a98cd3f55fc93070d92
[1530643038.063|20911|p2p.cpp :273 ] [CNX] exception during client processing: no response from DHT to E2E request
=================================================================
==14374==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000280378 at pc 0x7fed8da2f0b9 bp 0x7fed820de900 sp 0x7fed820de8f0
READ of size 20 at 0x603000280378 thread T2
#0 0x7fed8da2f0b8 in msgData<0ul, (ring::<unnamed>::CtrlMsgType)1, std::tuple<ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)0, void>, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)1, std::tuple<dht::Hash<20ul>, long unsigned int> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)2, std::tuple<ring::IpAddr> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)3, std::tuple<ring::IpAddr> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)4, std::tuple<ring::(anonymous namespace)::PeerConnectionMsg> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)5, std::tuple<ring::(anonymous namespace)::PeerConnectionMsg> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)6, std::tuple<dht::Hash<20ul>, long unsigned int, std::shared_ptr<dht::crypto::Certificate>, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::function<void(ring::PeerConnection*)> > > >, ring::(anonymous namespace)::CtrlMsgBase> /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:161
#1 0x7fed8da2f108 in ctrlMsgData<(ring::<unnamed>::CtrlMsgType)1, 0ul, ring::(anonymous namespace)::CtrlMsgBase> /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:186
#2 0x7fed8da2fcca in ring::DhtPeerConnector::Impl::eventLoop() /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:637
#3 0x7fed8da416ff in ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1}::operator()() const /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:200
#4 0x7fed8da5de79 in void std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) /usr/include/c++/5/functional:1531
#5 0x7fed8da5d973 in std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>::operator()() /usr/include/c++/5/functional:1520
#6 0x7fed8da5cf58 in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void>::operator()() const /usr/include/c++/5/future:1342
#7 0x7fed8da5c619 in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void> >::_M_invoke(std::_Any_data const&) /usr/include/c++/5/functional:1857
#8 0x7fed8d71c1d7 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/include/c++/5/functional:2267
#9 0x7fed8d71a48c in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/include/c++/5/future:527
#10 0x7fed8d726e5a in void std::_Mem_fn_base<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), true>::operator()<std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*, void>(std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) const /usr/include/c++/5/functional:600
#11 0x7fed8d7258e6 in void std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1531
#12 0x7fed8d722fdd in std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::operator()() /usr/include/c++/5/functional:1520
#13 0x7fed8d71f40e in void std::__once_call_impl<std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> >() /usr/include/c++/5/mutex:706
#14 0x7fed8c4a8a98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)
#15 0x7fed8d70bad9 in __gthread_once /usr/include/x86_64-linux-gnu/c++/5/bits/gthr-default.h:699
#16 0x7fed8d71bfc6 in void std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*>(std::once_flag&, void (std::__future_base::_State_baseV2::*&&)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*&&, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) /usr/include/c++/5/mutex:738
#17 0x7fed8d719ec3 in std::__future_base::_State_baseV2::_M_set_result(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>, bool) /usr/include/c++/5/future:387
#18 0x7fed8da5b161 in std::__future_base::_Async_state_impl<std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void>::_Async_state_impl(ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} (&&)())::{lambda()#1}::operator()() const /usr/include/c++/5/future:1658
#19 0x7fed8da61805 in void std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void>::_Async_state_impl(ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} (&&)())::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) /usr/include/c++/5/functional:1531
#20 0x7fed8da61505 in std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void>::_Async_state_impl(ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} (&&)())::{lambda()#1} ()>::operator()() /usr/include/c++/5/functional:1520
#21 0x7fed8da6019b in std::thread::_Impl<std::_Bind_simple<std::__future_base::_Async_state_impl<std::_Bind_simple<ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} ()>, void>::_Async_state_impl(ring::DhtPeerConnector::Impl::Impl(ring::RingAccount&)::{lambda()#1} (&&)())::{lambda()#1} ()> >::_M_run() /usr/include/c++/5/thread:115
#22 0x7fed8c985c7f (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8c7f)
#23 0x7fed8c4a16b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#24 0x7fed8c1d741c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
0x603000280380 is located 0 bytes to the right of 32-byte region [0x603000280360,0x603000280380)
allocated by thread T445 here:
#0 0x7fed8f490532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x7fed8da32682 in make_unique<ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)1, std::tuple<dht::Hash<20ul> > >, const dht::Hash<20ul>&> /usr/include/c++/5/bits/unique_ptr.h:765
#2 0x7fed8da2a5ec in makeMsg<(ring::<unnamed>::CtrlMsgType)1, dht::Hash<20ul> > /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:153
#3 0x7fed8da426b6 in ring::DhtPeerConnector::Impl::ClientConnector::cancel() /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:299
#4 0x7fed8da41f47 in ring::DhtPeerConnector::Impl::ClientConnector::ClientConnector(ring::DhtPeerConnector::Impl&, dht::Hash<20ul> const&, std::shared_ptr<dht::crypto::Certificate> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::function<void (ring::PeerConnection*)> const&)::{lambda()#1}::operator()() const /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:274
#5 0x7fed8da5df37 in void std::_Bind_simple<ring::DhtPeerConnector::Impl::ClientConnector::ClientConnector(ring::DhtPeerConnector::Impl&, dht::Hash<20ul> const&, std::shared_ptr<dht::crypto::Certificate> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::function<void (ring::PeerConnection*)> const&)::{lambda()#1} ()>::_M_invoke<>(std::_Index_tuple<>) /usr/include/c++/5/functional:1531
#6 0x7fed8da5da9f in std::_Bind_simple<ring::DhtPeerConnector::Impl::ClientConnector::ClientConnector(ring::DhtPeerConnector::Impl&, dht::Hash<20ul> const&, std::shared_ptr<dht::crypto::Certificate> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::function<void (ring::PeerConnection*)> const&)::{lambda()#1} ()>::operator()() /usr/include/c++/5/functional:1520
#7 0x7fed8da5d43c in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::DhtPeerConnector::Impl::ClientConnector::ClientConnector(ring::DhtPeerConnector::Impl&, dht::Hash<20ul> const&, std::shared_ptr<dht::crypto::Certificate> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::function<void (ring::PeerConnection*)> const&)::{lambda()#1} ()>, void>::operator()() const /usr/include/c++/5/future:1342
#8 0x7fed8da5ca2a in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<void>, std::__future_base::_Result_base::_Deleter>, std::_Bind_simple<ring::DhtPeerConnector::Impl::ClientConnector::ClientConnector(ring::DhtPeerConnector::Impl&, dht::Hash<20ul> const&, std::shared_ptr<dht::crypto::Certificate> const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::function<void (ring::PeerConnection*)> const&)::{lambda()#1} ()>, void> >::_M_invoke(std::_Any_data const&) /usr/include/c++/5/functional:1857
#9 0x7fed8d71c1d7 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/include/c++/5/functional:2267
#10 0x7fed8d71a48c in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/include/c++/5/future:527
#11 0x7fed8d726e5a in void std::_Mem_fn_base<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), true>::operator()<std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*, void>(std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) const /usr/include/c++/5/functional:600
#12 0x7fed8d7258e6 in void std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1531
#13 0x7fed8d722fdd in std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>::operator()() /usr/include/c++/5/functional:1520
#14 0x7fed8d71f40e in void std::__once_call_impl<std::_Bind_simple<std::_Mem_fn<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> (std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)> >() /usr/include/c++/5/mutex:706
#15 0x7fed8c4a8a98 in __pthread_once_slow (/lib/x86_64-linux-gnu/libpthread.so.0+0xea98)
Thread T2 created by T0 here:
#0 0x7fed8f42d253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7fed8c985dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
Thread T445 created by T2 here:
#0 0x7fed8f42d253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x7fed8c985dc2 in std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>, void (*)()) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xb8dc2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hlefeuvre/Development/ring-daemon/src/ringdht/p2p.cpp:161 msgData<0ul, (ring::<unnamed>::CtrlMsgType)1, std::tuple<ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)0, void>, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)1, std::tuple<dht::Hash<20ul>, long unsigned int> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)2, std::tuple<ring::IpAddr> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)3, std::tuple<ring::IpAddr> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)4, std::tuple<ring::(anonymous namespace)::PeerConnectionMsg> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)5, std::tuple<ring::(anonymous namespace)::PeerConnectionMsg> >, ring::(anonymous namespace)::CtrlMsg<(ring::<unnamed>::CtrlMsgType)6, std::tuple<dht::Hash<20ul>, long unsigned int, std::shared_ptr<dht::crypto::Certificate>, std::vector<std::__cxx11::basic_strin
Shadow bytes around the buggy address:
0x0c0680048010: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
0x0c0680048020: fa fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x0c0680048030: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680048040: fa fa fa fa fa fa fa fa fd fd fd fd fa fa fd fd
0x0c0680048050: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
=>0x0c0680048060: fa fa fa fa fa fa fd fd fd fd fa fa 00 00 00[00]
0x0c0680048070: fa fa fd fd fd fa fa fa fa fa fa fa fa fa 00 00
0x0c0680048080: 00 00 fa fa fa fa fa fa fa fa fd fd fd fa fa fa
0x0c0680048090: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c06800480a0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c06800480b0: fd fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==14374==ABORTING
```
This bug has potential security implications (CWE-125).
Gnome 2018.07.15
Sébastien Blin
Sébastien Blin