[ https://issues.apache.org/jira/browse/GUACAMOLE-979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike Jumper updated GUACAMOLE-979: ---------------------------------- Summary: RDP settings strings may be double-freed (was: RemoteApp settings memory may be double-freed) > RDP settings strings may be double-freed > ---------------------------------------- > > Key: GUACAMOLE-979 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-979 > Project: Guacamole > Issue Type: Bug > Components: RDP > Affects Versions: 1.1.0 > Reporter: Mike Jumper > Assignee: Mike Jumper > Priority: Minor > Fix For: 1.2.0 > > > As of 1.1.0, a double-free may occur during cleanup of an RDP connection if > RemoteApp was used: > {code:none} > guacd[6]: INFO: Guacamole proxy daemon (guacd) version 1.1.0 started > guacd[6]: INFO: Listening on host 0.0.0.0, port 4822 > guacd[6]: INFO: Creating new client for protocol "rdp" > guacd[6]: INFO: Connection ID is "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" > guacd[254]: INFO: Security mode: NLA > guacd[254]: INFO: Resize method: none > guacd[254]: INFO: User "@c2acad05-7635-4de6-8741-661c65cce4a0" joined > connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" (1 users now present) > guacd[254]: INFO: Loading keymap "base" > guacd[254]: INFO: Loading keymap "en-us-qwerty" > guacd[254]: INFO: Connected to RDPDR 1.13 as client 0x0008 > guacd[254]: INFO: Connected to RDPDR 1.13 as client 0x0007 > guacd[254]: INFO: RDPDR user logged on > guacd[254]: INFO: RDP server closed connection: Manually disconnected. > guacd[254]: INFO: User "@c2acad05-7635-4de6-8741-661c65cce4a0" > disconnected (0 users remain) > guacd[254]: INFO: Last user of connection > "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" disconnected > guacd[254]: INFO: Internal RDP client disconnected > double free or corruption (fasttop) > guacd[6]: INFO: Connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" > removed. > {code} > The double-free occurs within {{guac_rdp_settings_free()}}: > {code:none} > Thread 2.15 "guacd" received signal SIGABRT, Aborted. > [Switching to Thread 0x7fbcfbfff700 (LWP 556)] > __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 > 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. > (gdb) bt > ... > #5 0x00007fbd005a60bd in guac_rdp_settings_free (settings=0x7fbcf400d200) > at settings.c:1018 > #6 0x00007fbd005a056d in guac_rdp_client_free_handler (client=<optimized > out>) > at client.c:179 > #7 0x00007fbd029f5442 in guac_client_free (client=0x7fbcfc00b2f0) > at client.c:195 > #8 0x000055b87847e5c5 in guacd_client_free_thread (data=0x7fbd00dcac40) > at proc.c:219 > #9 0x00007fbd02606fa3 in start_thread (arg=<optimized out>) > at pthread_create.c:486 > #10 0x00007fbd01f434cf in clone () > at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 > (gdb) > {code} > The relevant line is where {{settings->remote_app}} is being freed: > {code:c} > /* Free settings strings */ > ... > free(settings->remote_app); // <--- Line 1018 > free(settings->remote_app_args); > free(settings->remote_app_dir); > {code} > It appears that the RAIL channel implementation within FreeRDP 2.0.0 now > automatically frees these strings, resulting in a double-free when we attempt > to do the same. -- This message was sent by Atlassian Jira (v8.3.4#803005)