[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
Follow-up Comment #9, bug #21558 (project freeciv): See also bug #20960. ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
Update of bug #21558 (project freeciv): Status: Ready For Test = Fixed Open/Closed:Open = Closed ___ Follow-up Comment #8: Apparently it was a player with a custom client that provoked this. ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
URL: http://gna.org/bugs/?21558 Summary: Server crash in improvement_name_translation() called from diplomat_sabotage() Project: Freeciv Submitted by: jtn Submitted on: Wed Jan 29 22:08:57 2014 Category: None Severity: 3 - Normal Priority: 5 - Normal Status: None Assigned to: None Originator Email: Open/Closed: Open Release: between 2.3.2 and 2.3.3, probably Discussion Lock: Any Operating System: None Planned Release: ___ Details: Reported by akfaew in Longturn LT32 game. (Possibly this has happened 4x, but we only have a coredump from the last one.) Server is somewhere between 2.3.2 and 2.3.3 (reports itself as 2.3.2+; this game has been running for half a year now), probably with Longturn patches, but I think it's unlikely to be important. LT32 ruleset (which is close to civ2-3 but with 3x movement, approximately). Segfault in: const char *improvement_name_translation(const struct impr_type *pimprove) { return name_translation(pimprove-name); } Backtrace: #0 improvement_name_translation (pimprove=0x0) at improvement.c:187 #1 0x00467edb in diplomat_sabotage (pplayer=0x7c3d950, pdiplomat=0xe3a4ca0, pcity=0xe7997a0, improvement=199) at diplomats.c:954 #2 0x0046df5d in server_handle_packet (type=optimized out, packet=optimized out, pplayer=0x7fe351d90fe0, pconn=0x8a9d40) at hand_gen.c:247 #3 0x004088d4 in server_packet_input (pconn=0x8336e8, packet=0x7fda, type=84) at srv_main.c:1669 #4 0x004985b5 in incoming_client_packets (pconn=optimized out) at sernet.c:449 #5 server_sniff_all_input () at sernet.c:826 #6 0x0040a5ed in srv_running () at srv_main.c:2293 #7 0x0040b3a1 in srv_main () at srv_main.c:2699 #8 0x00403cc4 in main (argc=15, argv=0x7fff23aaf568) at civserver.c:377 My analysis so far (based on 2.3.3 source code and hoping that's close enough): Improvement ID 199 is not = B_LAST (200) so it goes down the Told which improvement to pick path in diplomat_sabotage() (rather than the pick random target path). But 199 is presumably invalid in this ruleset so improvement_by_number() returns NULL; city_has_building() silently returns FALSE in this case; we try to print Your Spy could not find the %s to sabotage in city; improvement_name_translation() goes kaboom when passed NULL. Clearly the server should be doing better validation on what it receives from the client here. I haven't worked out whether there's a separate bug in any released S2_3 client that can send 199 by mistake. 199 is suspiciously B_LAST-1, which is extra suspicious when you see that there's a random +1/-1 in the value sent over the network; plenty of scope for off-by-one errors. More later, unless someone else gets there first. ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
Follow-up Comment #1, bug #21558 (project freeciv): Not found a blindingly obvious way for the client to send this (circa 2.3.3 because that's the source I had to hand), but haven't finished looking thoroughly yet. The pre-2.3.2 SDL client's spy sabotage code was completely infested with stoats (bug #19288); I haven't checked whether it could send 199+1 to the server as a result. (I can't imagine any player seriously using spies would put up with this version of this client, though; there were many issues prior to 2.3.2.) ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
Update of bug #21558 (project freeciv): Status:None = Ready For Test Assigned to:None = jtn Planned Release: = 2.3.5,2.4.2,2.5.0,2.6.0 ___ Follow-up Comment #2: Have stared harder at the code for all clients (in detail at head-of-S2_3, in slightly less detail at 2.3.0) and haven't seen a way for them to slip up and send value=200 (improvement=199) over the network. I don't think the old SDL client bug #19288 can cause this. So, how this happened is a mystery to me, unless some LT player has a buggy customised client. Attached an untested patch to make the server robust against this (it does nothing except log an error); I consider this a candidate for 2.3.5/2.4.2, although I haven't checked it applies cleanly yet. (file #19898) ___ Additional Item Attachment: File name: trunk-invalid-sabotage-improvement-server.patch Size:0 KB ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
[Freeciv-Dev] [bug #21558] Server crash in improvement_name_translation() called from diplomat_sabotage()
Follow-up Comment #3, bug #21558 (project freeciv): (Oh, and the LT32 ruleset has just 60 improvements, assuming I have the right version.) ___ Reply to this item at: http://gna.org/bugs/?21558 ___ Message sent via/by Gna! http://gna.org/ ___ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev