Opened 10 years ago

Closed 10 years ago

#4473 closed Bug (fixed)

transmission-daemon crashes on web request with authentication (malformed ssha1)

Reported by: Volfram Owned by: jordan
Priority: Normal Milestone: 2.40
Component: libtransmission Version: 2.33
Severity: Normal Keywords: core daemon web
Cc:

Description (last modified by jordan)

OS: Arch Linux x64

First request to web interface ( 192.168.0.1:9091 in my case ) result in a silent crash. Core dump attached.

[root@dicebot mist]# transmission-daemon --log-error --log-info --log-debug -g /root/.config/transmission-daemon/ -f
[06:04:15.456] Transmission 2.33 (12565) started (session.c:704)
[06:04:15.456] Couldn't read "/root/.config/transmission-daemon//stats.json": No such file or directory (utils.c:443)
[06:04:15.456] Couldn't read "/root/.config/transmission-daemon//stats.benc": No such file or directory (utils.c:443)
[06:04:15.457] Cache Maximum cache size set to 4.00 MiB (256 blocks) (cache.c:258)
[06:04:15.457] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:805)
[06:04:15.457] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:999)
[06:04:15.457] RPC Server Password required (rpc-server.c:1006)
[06:04:15.457] Bound socket 11 to port 51413 on 0.0.0.0 (net.c:373)
[06:04:15.457] Bound socket 12 to port 51413 on :: (net.c:373)
[06:04:15.457] Port Forwarding Stopped (port-forwarding.c:181)
[06:04:15.457] DHT Initializing DHT (tr-dht.c:276)
[06:04:15.457] Couldn't read "/root/.config/transmission-daemon//dht.dat": No such file or directory (utils.c:443)
[06:04:15.457] DHT Generating new id (tr-dht.c:309)
[06:04:15.457] DHT DHT initialized (tr-dht.c:330)
[06:04:15.457] Using settings from "/root/.config/transmission-daemon/" (daemon.c:488)
[06:04:15.457] Saved "/root/.config/transmission-daemon/settings.json" (bencode.c:1721)
[06:04:15.457] transmission-daemon requiring authentication (daemon.c:508)
Segmentation fault (core dumped)

Change History (9)

comment:1 Changed 10 years ago by jordan

  • Description modified (diff)

comment:2 Changed 10 years ago by jordan

When you attach the core dump, please use gdb to pull a backtrace from it.

comment:3 Changed 10 years ago by Volfram

http://dicebot.lv/transmission-core

Program terminated with signal 11, Segmentation fault.
#0  0x00007fdc04a92f43 in memcpy () from /lib/libc.so.6
(gdb) btg
Undefined command: "btg".  Try "help".
(gdb) bt
#0  0x00007fdc04a92f43 in memcpy () from /lib/libc.so.6
#1  0x000000000042af9e in ?? ()
#2  0x00000000004399ca in ?? ()
#3  0x00007fdc057e8ba5 in ?? () from /usr/lib/libevent-2.0.so.5
#4  0x00007fdc057e7cd1 in ?? () from /usr/lib/libevent-2.0.so.5
#5  0x00007fdc057d819d in ?? () from /usr/lib/libevent-2.0.so.5
#6  0x00007fdc057cc5cc in event_base_loop () from /usr/lib/libevent-2.0.so.5
#7  0x000000000041de40 in ?? ()
#8  0x000000000040f75a in ?? ()
#9  0x00007fdc04d75d60 in start_thread () from /lib/libpthread.so.0
#10 0x00007fdc04ae125d in clone () from /lib/libc.so.6
#11 0x0000000000000000 in ?? ()

comment:4 Changed 10 years ago by Volfram

Same for svn revision, 12882. Stack trace with debug symbols:

Core was generated by `./daemon/transmission-daemon -f --log-info --log-debug'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fa860ed7f83 in memcpy () from /lib/libc.so.6
(gdb) bt
#0  0x00007fa860ed7f83 in memcpy () from /lib/libc.so.6
#1  0x000000000043f351 in tr_ssha1_matches (source=0x1737930 "{64dd664ea8ebc0b1f5202458b89afd1b}", pass=0x7fa858002ba8 "slowpoke12") at crypto.c:384
#2  0x0000000000455dca in handle_request (req=0x7fa858002930, arg=0x1737510) at rpc-server.c:621
#3  0x00007fa861c29ba5 in ?? () from /usr/lib/libevent-2.0.so.5
#4  0x00007fa861c28cd1 in ?? () from /usr/lib/libevent-2.0.so.5
#5  0x00007fa861c1919d in ?? () from /usr/lib/libevent-2.0.so.5
#6  0x00007fa861c0d5cc in event_base_loop () from /usr/lib/libevent-2.0.so.5
#7  0x000000000042be81 in libeventThreadFunc (veh=0x1734b80) at trevent.c:248
#8  0x0000000000414449 in ThreadFunc (_t=0x1734c00) at platform.c:118
#9  0x00007fa8611bada0 in start_thread () from /lib/libpthread.so.0
#10 0x00007fa860f267dd in clone () from /lib/libc.so.6
#11 0x0000000000000000 in ?? ()

Started code exploration.

comment:5 Changed 10 years ago by Volfram

Ok, found it:

//crypto.c
382     saltlen = strlen( source ) - 2*SHA_DIGEST_LENGTH-1;

Should be something like

382     saltlen = strlen( source );
383     if (saltlen < 2*SHA_DIGEST_LENGTH-1)
384         return false;
385     else
386         saltlen = saltlen - 2*SHA_DIGEST_LENGTH-1;

Unsigned integer overflow happens now in case of wrong password hash.

comment:6 Changed 10 years ago by Volfram

  • Component changed from Daemon to libtransmission
  • Owner set to jordan
  • Summary changed from transmission-daemon crashes on web request to transmission-daemon crashes on web request with authentication (malformed ssha1)
  • Version changed from 2.33 to 2.33+

comment:7 Changed 10 years ago by jordan

  • Milestone changed from None Set to 2.40
  • Status changed from new to assigned
  • Version changed from 2.33+ to 2.33

Yes, you're right about the underflow. Thanks Volfram!

r12884

comment:8 Changed 10 years ago by jordan

bah. r12885 :)

comment:9 Changed 10 years ago by jordan

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.