URL:
  <http://gna.org/bugs/?16851>

                 Summary: use after free by diplomat_bribe()
                 Project: Freeciv
            Submitted by: kernigh
            Submitted on: Monday 10/11/2010 at 03:03
                Category: None
                Severity: 2 - Minor
                Priority: 5 - Normal
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
                 Release: trunk r18200
         Discussion Lock: Any
        Operating System: *BSD
         Planned Release: 

    _______________________________________________________

Details:

The trunk version of diplomat_bribe() continues to use struct unit *pvictim
after unit_change_owner() frees it.

Longturn players found this problem when LTeX, the Longturn experimental
game, crashed after they ported a feature from trunk to their server, which
is a variant of Freeciv 2.2.1. http://redmine.pagema.net/issues/237#note-23

Longturn admin Maho made a fix which prevents a failed assertion, but still
uses *pvictim after free. Longturn (with the fix) only crashes if I use
OpenBSD libc MALLOC_OPTIONS=J to fill the free memory with junk. Gna trunk
only crashes if I use MALLOC_OPTIONS=J.

I am attaching a slightly different fix (for Gna trunk) which does not crash
when I use MALLOC_OPTIONS=J. I am also attaching an example game where a
Diplomat can bribe a Galleon.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Monday 10/11/2010 at 03:03  Name: ptrunk-bribe-unit.diff  Size: 1kB  
By: kernigh
proposed fix; example game
<http://gna.org/bugs/download.php?file_id=10706>
-------------------------------------------------------
Date: Monday 10/11/2010 at 03:03  Name: bribe-galleon-trunk.sav.bz2  Size:
11kB   By: kernigh
proposed fix; example game
<http://gna.org/bugs/download.php?file_id=10707>

    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?16851>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to