[
https://issues.apache.org/jira/browse/GUACAMOLE-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17266313#comment-17266313
]
Mike Jumper commented on GUACAMOLE-1263:
----------------------------------------
*NOTE:* The change in behavior is due to libvncclient commit
[597473b|https://github.com/LibVNC/libvncserver/commit/597473be045c044771e07d2179bcfa5a365ef617],
present since their 0.9.12 release:
{code:none}
commit 597473be045c044771e07d2179bcfa5a365ef617
Author: Tobias Junghans <[email protected]>
Date: Mon Nov 5 15:52:59 2018 +0100
LibVNCClient: free buffers in rfbClientCleanup()
Buffers allocated by encoding handlers have to be freed as well.
diff --git a/libvncclient/vncviewer.c b/libvncclient/vncviewer.c
index 2a13f0ec..ec1b73a2 100644
--- a/libvncclient/vncviewer.c
+++ b/libvncclient/vncviewer.c
@@ -519,6 +519,12 @@ void rfbClientCleanup(rfbClient* client) {
#endif
#endif
+ if (client->ultra_buffer)
+ free(client->ultra_buffer);
+
+ if (client->raw_buffer)
+ free(client->raw_buffer);
+
FreeTLS(client);
while (client->clientData) {
{code}
> Double-free may occur upon VNC disconnect
> -----------------------------------------
>
> Key: GUACAMOLE-1263
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1263
> Project: Guacamole
> Issue Type: Bug
> Components: VNC
> Reporter: Mike Jumper
> Assignee: Mike Jumper
> Priority: Minor
>
> If building against libvncclient 0.9.12 or newer, a double-free error occurs
> upon VNC disconnect:
> {code:none}
> guacd_1 | guacd[13]: INFO: User
> "@f4557a45-771a-49c3-a9fd-74f6a3d64ec2" disconnected (0 users remain)
> guacd_1 | guacd[13]: INFO: Last user of connection
> "$5373b0f7-be98-4941-9d4c-8643cc29b647" disconnected
> guacd_1 | guacd[13]: INFO: Internal VNC client disconnected
> guacd_1 | *** Error in `/opt/glyptodon/sbin/guacd': double free or
> corruption (out): 0x00007fb698089820 ***
> guacd_1 | ======= Backtrace: =========
> guacd_1 | /lib64/libc.so.6(+0x81299)[0x7fb6afa3a299]
> guacd_1 |
> /opt/glyptodon/lib64/libvncclient.so.1(rfbClientCleanup+0x5b)[0x7fb6aad4e24b]
> guacd_1 |
> /opt/glyptodon/lib64/libguac-client-vnc.so(guac_vnc_client_free_handler+0x90)[0x7fb6aaf60800]
> guacd_1 |
> /opt/glyptodon/lib64/libguac.so.19(guac_client_free+0x32)[0x7fb6b14902a2]
> guacd_1 | /opt/glyptodon/sbin/guacd[0x404375]
> guacd_1 | /lib64/libpthread.so.0(+0x7ea5)[0x7fb6b08b8ea5]
> guacd_1 | /lib64/libc.so.6(clone+0x6d)[0x7fb6afab796d]
> {code}
> From gdb:
> {code:none}
> (gdb) bt
> #0 __GI___libc_free (mem=0x7fbd9806e010) at malloc.c:2941
> #1 0x00007fbd935f524b in rfbClientCleanup
> (client=client@entry=0x7fbd9f088010) at
> /usr/src/debug/libvncserver-LibVNCServer-0.9.13/libvncclient/vncviewer.c:527
> #2 0x00007fbd980d7800 in guac_vnc_client_free_handler
> (client=0x7fbd9400b8a0) at client.c:92
> #3 0x00007fbd9ee062a2 in guac_client_free (client=0x7fbd9400b8a0) at
> client.c:195
> #4 0x0000000000404375 in guacd_client_free_thread (data=0x7fbd992e6b50) at
> proc.c:219
> #5 0x00007fbd9e22edd5 in start_thread (arg=0x7fbd899c0700) at
> pthread_create.c:307
> #6 0x00007fbd9d42dead in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
> (gdb)
> {code}
> Checking {{vncviewer.c}} within libvncclient, the free in question is:
> {code:none}
> if (client->raw_buffer)
> free(client->raw_buffer);
> {code}
> We are indeed freeing this internally, apparently due to old behavior of
> libvncclient. From {{client.c}} within guacamole-server's VNC support:
> {code:none}
> /* Free memory not free'd by libvncclient's rfbClientCleanup() */
> if (rfb_client->frameBuffer != NULL) free(rfb_client->frameBuffer);
> if (rfb_client->raw_buffer != NULL) free(rfb_client->raw_buffer);
> if (rfb_client->rcSource != NULL) free(rfb_client->rcSource);
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
