Hi,
I had some random crashes using the xmlsec library for signature, so
I did a test with valgrind that reported an invalid read (see attached
valgrind output). You can see that it happens in the
'xmlXPathFreeNodeSet' function that is called in 'xmlSecNodeSetDestroy'.
After some investigations, I find out that it is related to the use of
an XPath transformation that builds a list of 'xmlSecNodeSetPtr' in the
'xmlSecXPathDataListExecute' function. In that function a new
'xmlSecNodeSetPtr' is added at the end of the list but containing the
nodes to be signed according to the XPath expression. Unfortunately, the
first 'xmlSecNodeSetPtr' of that list has the 'destroyDoc' boolean set
to 1 that tells the 'xmlSecNodeSetDestroy' function to release the whole
document, and when it is the next 'xmlSecNodeSetPtr' of the list to be
destroyed it tries to release the node resulting of the XPath
expression, but they don't exist anymore because the document they
belong to has been released just before.
To solve the problem I set the 'destroyDoc' of the first element to 0,
and put it to 1 on the last element of the list, so that the document is
only released at the very end. Actually, I simply add following code at
the end of the xmlSecXPathDataListExecute function just before the
return instruction.
...
if (res->destroyDoc) {
/* force the releasing of the document at the end of the list
otherwise xmlSecNodeSetDestroy can crash
because it will release the doc in the first node set but the
following ones have references to this document too
*/
res->destroyDoc = 0;
res->prev->destroyDoc = 1;
}
return(res);
...
I don't know if it is correct to do so or if there are some side
effects but it seems to fix my issue.
Regards,
Frank
--
Frank GROSS
Software Engineer - Web Services
Four J's Development Tools - http://www.4js.com
<?xml version="1.0"?>
<valgrindoutput>
<protocolversion>2</protocolversion>
<preamble>
<line>Memcheck, a memory error detector.</line>
<line>Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.</line>
<line>Using LibVEX rev 1854, a library for dynamic binary translation.</line>
<line>Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.</line>
<line>Using valgrind-3.3.1, a dynamic binary instrumentation framework.</line>
<line>Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.</line>
</preamble>
<pid>30095</pid>
<ppid>30037</ppid>
<tool>memcheck</tool>
<args>
<vargv>
<exe>/home/local/tools/32bits/valgrind/3.3.1/bin/valgrind</exe>
<arg>--xml=yes</arg>
<arg>--log-file=val.xml</arg>
<arg>--leak-check=full</arg>
<arg>--leak-resolution=high</arg>
</vargv>
<argv>
<exe>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/fglrun-bin</exe>
<arg>-M</arg>
<arg>Signature_XPathFilterTransform</arg>
</argv>
</args>
<status>
<state>RUNNING</state>
<time>00:00:00:00.027</time>
</status>
<error>
<unique>0x34</unique>
<tid>1</tid>
<kind>InvalidRead</kind>
<what>Invalid read of size 4</what>
<stack>
<frame>
<ip>0x4BAAD7B</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxml2.so.2.7.2</obj>
<fn>xmlXPathFreeNodeSet</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-xmlsoft-libxml2/src</dir>
<file>xpath.c</file>
<line>4081</line>
</frame>
<frame>
<ip>0x4E8855A</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecNodeSetDestroy</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>nodeset.c</file>
<line>94</line>
</frame>
<frame>
<ip>0x4E96209</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecTransformDestroy</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>transforms.c</file>
<line>1465</line>
</frame>
<frame>
<ip>0x4E92E52</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecTransformCtxReset</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>transforms.c</file>
<line>440</line>
</frame>
<frame>
<ip>0x4E92D4D</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecTransformCtxFinalize</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>transforms.c</file>
<line>407</line>
</frame>
<frame>
<ip>0x4E9EFF5</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecDSigReferenceCtxFinalize</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>xmldsig.c</file>
<line>1362</line>
</frame>
<frame>
<ip>0x4E9EDB9</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecDSigReferenceCtxDestroy</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>xmldsig.c</file>
<line>1290</line>
</frame>
<frame>
<ip>0x4E86814</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecPtrListEmpty</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>list.c</file>
<line>152</line>
</frame>
<frame>
<ip>0x4E86709</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecPtrListFinalize</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>list.c</file>
<line>132</line>
</frame>
<frame>
<ip>0x4E9BD0D</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecDSigCtxFinalize</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>xmldsig.c</file>
<line>185</line>
</frame>
<frame>
<ip>0x4E9BA66</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecDSigCtxDestroy</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>xmldsig.c</file>
<line>103</line>
</frame>
<frame>
<ip>0x49E18F6</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libfglxml.so</obj>
<fn>fglXmlSignatureCompute</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-fjs-xml/src</dir>
<file>FglXmlSecApi.c</file>
<line>2822</line>
</frame>
</stack>
<auxwhat>Address 0x438f674 is 36 bytes inside a block of size 92 free'd</auxwhat>
<stack>
<frame>
<ip>0x401B62D</ip>
<obj>/home/local/tools/32bits/valgrind/3.3.1/lib/valgrind/x86-linux/vgpreload_memcheck.so</obj>
<fn>free</fn>
<dir>/root/tmp/valgrind-3.3.1/coregrind/m_replacemalloc</dir>
<file>vg_replace_malloc.c</file>
<line>323</line>
</frame>
<frame>
<ip>0x4B8E1F4</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxml2.so.2.7.2</obj>
<fn>xmlMemFree</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-xmlsoft-libxml2/src</dir>
<file>xmlmemory.c</file>
<line>450</line>
</frame>
<frame>
<ip>0x4B7ED6B</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxml2.so.2.7.2</obj>
<fn>xmlFreeNodeList</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-xmlsoft-libxml2/src</dir>
<file>tree.c</file>
<line>3434</line>
</frame>
<frame>
<ip>0x4B7EC23</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxml2.so.2.7.2</obj>
<fn>xmlFreeNodeList</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-xmlsoft-libxml2/src</dir>
<file>tree.c</file>
<line>3405</line>
</frame>
<frame>
<ip>0x4B7B89A</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxml2.so.2.7.2</obj>
<fn>xmlFreeDoc</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-xmlsoft-libxml2/src</dir>
<file>tree.c</file>
<line>1223</line>
</frame>
<frame>
<ip>0x4E88597</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecNodeSetDestroy</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>nodeset.c</file>
<line>100</line>
</frame>
<frame>
<ip>0x4E96209</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecTransformDestroy</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>transforms.c</file>
<line>1465</line>
</frame>
<frame>
<ip>0x4E92E52</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecTransformCtxReset</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>transforms.c</file>
<line>440</line>
</frame>
<frame>
<ip>0x4E92D4D</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecTransformCtxFinalize</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>transforms.c</file>
<line>407</line>
</frame>
<frame>
<ip>0x4E9EFF5</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecDSigReferenceCtxFinalize</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>xmldsig.c</file>
<line>1362</line>
</frame>
<frame>
<ip>0x4E9EDB9</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecDSigReferenceCtxDestroy</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>xmldsig.c</file>
<line>1290</line>
</frame>
<frame>
<ip>0x4E86814</ip>
<obj>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/qa-deploy/fjs-fglgws-2.21.01-build1539_gws81796-lnxlc23/lib/libxmlsec1.so.1.2.11</obj>
<fn>xmlSecPtrListEmpty</fn>
<dir>/home/comp/prod/fgl/gws/gws-nightly-20100105-193501/ports/LNX-LC23/lib-aleksey-xmlsec1/src/src</dir>
<file>list.c</file>
<line>152</line>
</frame>
</stack>
</error>
<errorcounts>
<pair>
<count>6</count>
<unique>0x34</unique>
</pair>
</errorcounts>
<status>
<state>FINISHED</state>
<time>00:00:00:02.642</time>
</status>
<suppcounts>
<pair>
<count>32</count>
<name>Ugly strchr error in /lib/ld-2.3.2.so</name>
</pair>
<pair>
<count>20</count>
<name>Ubuntu-stripped-ld.so</name>
</pair>
</suppcounts>
</valgrindoutput>
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
