Mike Jumper created GUACAMOLE-979:
-------------------------------------
Summary: RemoteApp settings memory may be double-freed
Key: GUACAMOLE-979
URL: https://issues.apache.org/jira/browse/GUACAMOLE-979
Project: Guacamole
Issue Type: Bug
Components: RDP
Affects Versions: 1.1.0
Reporter: Mike Jumper
As of 1.1.0, a double-free may occur during cleanup of an RDP connection if
RemoteApp was used:
{code:none}
guacd[6]: INFO: Guacamole proxy daemon (guacd) version 1.1.0 started
guacd[6]: INFO: Listening on host 0.0.0.0, port 4822
guacd[6]: INFO: Creating new client for protocol "rdp"
guacd[6]: INFO: Connection ID is "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6"
guacd[254]: INFO: Security mode: NLA
guacd[254]: INFO: Resize method: none
guacd[254]: INFO: User "@c2acad05-7635-4de6-8741-661c65cce4a0" joined
connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" (1 users now present)
guacd[254]: INFO: Loading keymap "base"
guacd[254]: INFO: Loading keymap "en-us-qwerty"
guacd[254]: INFO: Connected to RDPDR 1.13 as client 0x0008
guacd[254]: INFO: Connected to RDPDR 1.13 as client 0x0007
guacd[254]: INFO: RDPDR user logged on
guacd[254]: INFO: RDP server closed connection: Manually disconnected.
guacd[254]: INFO: User "@c2acad05-7635-4de6-8741-661c65cce4a0"
disconnected (0 users remain)
guacd[254]: INFO: Last user of connection
"$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" disconnected
guacd[254]: INFO: Internal RDP client disconnected
double free or corruption (fasttop)
guacd[6]: INFO: Connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" removed.
{code}
The double-free occurs within {{guac_rdp_settings_free()}}:
{code:none}
Thread 2.15 "guacd" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fbcfbfff700 (LWP 556)]
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
...
#5 0x00007fbd005a60bd in guac_rdp_settings_free (settings=0x7fbcf400d200)
at settings.c:1018
#6 0x00007fbd005a056d in guac_rdp_client_free_handler (client=<optimized out>)
at client.c:179
#7 0x00007fbd029f5442 in guac_client_free (client=0x7fbcfc00b2f0)
at client.c:195
#8 0x000055b87847e5c5 in guacd_client_free_thread (data=0x7fbd00dcac40)
at proc.c:219
#9 0x00007fbd02606fa3 in start_thread (arg=<optimized out>)
at pthread_create.c:486
#10 0x00007fbd01f434cf in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb)
{code}
The relevant line is where {{settings->remote_app}} is being freed:
{code:c}
/* Free settings strings */
...
free(settings->remote_app); // <--- Line 1018
free(settings->remote_app_args);
free(settings->remote_app_dir);
{code}
It appears that the RAIL channel implementation within FreeRDP 2.0.0 now
automatically frees these strings, resulting in a double-free when we attempt
to do the same.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
