Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

friendlist access (add, delete, ...) causes crashes sometimes #956

Closed
zoff99 opened this issue Jun 27, 2018 · 7 comments
Closed

friendlist access (add, delete, ...) causes crashes sometimes #956

zoff99 opened this issue Jun 27, 2018 · 7 comments
Assignees
@iphydf
Labels
bug Bug fix for the user, not a fix to a build script P0 Critical priority
Milestone
v0.2.9

Comments

@zoff99
Copy link

zoff99 commented Jun 27, 2018
edited
Loading

between those 2 lines m->friendlist may point to old already freed address

c-toxcore/toxcore/Messenger.c

Lines 67 to 73 in 5b14542

Friend *newfriendlist = (Friend *)realloc(m->friendlist, num * sizeof(Friend));
if (newfriendlist == nullptr) {
return -1;
}
m->friendlist = newfriendlist;

ToxAV has other threads, so this may be accessed while invalid.
@zoff99
Copy link
Author

zoff99 commented Jun 27, 2018
edited
Loading

we must rework all these functions to be safe(r):

m_delfriend()
init_new_friend()
m_addfriend()
realloc_friendlist()
friend_not_valid()
getfriend_id()

@zoff99 zoff99 added bug Bug fix for the user, not a fix to a build script P0 Critical priority labels Jun 27, 2018
@zoff99
Copy link
Author

zoff99 commented Jun 27, 2018

access to invalid (already freed) memory can happen here:

c-toxcore/toxcore/Messenger.c

Line 47 in 5b14542

if (m->friendlist[friendnumber].status != 0) {

and here:

c-toxcore/toxcore/Messenger.c

Line 85 in 5b14542

if (m->friendlist[i].status > 0) {

and a lot of other places

@hugbubby
Copy link
Member

Are these exploitable?

@zoff99
Copy link
Author

zoff99 commented Jun 28, 2018
edited
Loading

not sure if they are exploitable. but those cause crashes.

#871 #854

@zoff99
Copy link
Author

zoff99 commented Jun 28, 2018

this should be fixed soon. it causes (reported) crashes

@zoff99 zoff99 changed the title friendlist (add, delete) causes crashes sometimes friendlist access (add, delete, ...) causes crashes sometimes Jun 28, 2018
@iphydf
Copy link
Member

iphydf commented Jul 6, 2018

I agree these need to be fixed. In the meantime, you can fix them on the client side with mutexes.

@iphydf iphydf added this to the v0.2.x milestone Jul 16, 2018
@zoff99
Copy link
Author

zoff99 commented Aug 13, 2018

@iphydf actually no, because they are used in toxav internally

@zoff99 zoff99 closed this as completed Nov 4, 2018
@iphydf iphydf mentioned this issue Nov 4, 2018
Closed
@robinlinden robinlinden modified the milestones: v0.2.x, v0.2.9 Jan 3, 2019
@iphydf iphydf added P3 Low priority and removed P3 Low priority labels Feb 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iphydf iphydf

Labels
bug Bug fix for the user, not a fix to a build script P0 Critical priority
Projects
None yet
Milestone
v0.2.9
Development

No branches or pull requests
4 participants
@zoff99 @robinlinden @iphydf @hugbubby