[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
Follow-up Comment #9, bug #21558 (project freeciv): See also bug #20960. ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
Update of bug #21558 (project freeciv): Status: Ready For Test = Fixed Open/Closed:Open = Closed ___ Follow-up Comment #8: Apparently it was a player with a custom client that provoked this. ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
URL:
http://gna.org/bugs/?21558
Summary: Server crash in improvement_name_translation()
called from diplomat_sabotage()
Project: Freeciv
Submitted by: jtn
Submitted on: Wed Jan 29 22:08:57 2014
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Assigned to: None
Originator Email:
Open/Closed: Open
Release: between 2.3.2 and 2.3.3, probably
Discussion Lock: Any
Operating System: None
Planned Release:
___
Details:
Reported by akfaew in Longturn LT32 game. (Possibly this has happened 4x, but
we only have a coredump from the last one.)
Server is somewhere between 2.3.2 and 2.3.3 (reports itself as 2.3.2+; this
game has been running for half a year now), probably with Longturn patches,
but I think it's unlikely to be important. LT32 ruleset (which is close to
civ2-3 but with 3x movement, approximately).
Segfault in:
const char *improvement_name_translation(const struct impr_type *pimprove)
{
return name_translation(pimprove-name);
}
Backtrace:
#0 improvement_name_translation (pimprove=0x0) at improvement.c:187
#1 0x00467edb in diplomat_sabotage (pplayer=0x7c3d950,
pdiplomat=0xe3a4ca0, pcity=0xe7997a0, improvement=199) at diplomats.c:954
#2 0x0046df5d in server_handle_packet (type=optimized out,
packet=optimized out, pplayer=0x7fe351d90fe0, pconn=0x8a9d40) at
hand_gen.c:247
#3 0x004088d4 in server_packet_input (pconn=0x8336e8,
packet=0x7fda, type=84) at srv_main.c:1669
#4 0x004985b5 in incoming_client_packets (pconn=optimized out) at
sernet.c:449
#5 server_sniff_all_input () at sernet.c:826
#6 0x0040a5ed in srv_running () at srv_main.c:2293
#7 0x0040b3a1 in srv_main () at srv_main.c:2699
#8 0x00403cc4 in main (argc=15, argv=0x7fff23aaf568) at
civserver.c:377
My analysis so far (based on 2.3.3 source code and hoping that's close
enough):
Improvement ID 199 is not = B_LAST (200) so it goes down the Told which
improvement to pick path in diplomat_sabotage() (rather than the pick random
target path). But 199 is presumably invalid in this ruleset so
improvement_by_number() returns NULL; city_has_building() silently returns
FALSE in this case; we try to print Your Spy could not find the %s to
sabotage in city; improvement_name_translation() goes kaboom when passed
NULL.
Clearly the server should be doing better validation on what it receives from
the client here. I haven't worked out whether there's a separate bug in any
released S2_3 client that can send 199 by mistake.
199 is suspiciously B_LAST-1, which is extra suspicious when you see that
there's a random +1/-1 in the value sent over the network; plenty of scope for
off-by-one errors.
More later, unless someone else gets there first.
___
Reply to this item at:
http://gna.org/bugs/?21558
___
Message sent via/by Gna!
http://gna.org/
___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
Follow-up Comment #1, bug #21558 (project freeciv): Not found a blindingly obvious way for the client to send this (circa 2.3.3 because that's the source I had to hand), but haven't finished looking thoroughly yet. The pre-2.3.2 SDL client's spy sabotage code was completely infested with stoats (bug #19288); I haven't checked whether it could send 199+1 to the server as a result. (I can't imagine any player seriously using spies would put up with this version of this client, though; there were many issues prior to 2.3.2.) ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
Update of bug #21558 (project freeciv): Status:None = Ready For Test Assigned to:None = jtn Planned Release: = 2.3.5,2.4.2,2.5.0,2.6.0 ___ Follow-up Comment #2: Have stared harder at the code for all clients (in detail at head-of-S2_3, in slightly less detail at 2.3.0) and haven't seen a way for them to slip up and send value=200 (improvement=199) over the network. I don't think the old SDL client bug #19288 can cause this. So, how this happened is a mystery to me, unless some LT player has a buggy customised client. Attached an untested patch to make the server robust against this (it does nothing except log an error); I consider this a candidate for 2.3.5/2.4.2, although I haven't checked it applies cleanly yet. (file #19898) ___ Additional Item Attachment: File name: trunk-invalid-sabotage-improvement-server.patch Size:0 KB ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
Follow-up Comment #3, bug #21558 (project freeciv): (Oh, and the LT32 ruleset has just 60 improvements, assuming I have the right version.) ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
