Bug 29881 - Error handling improvements in DBus core and DBus X11 launch
Summary: Error handling improvements in DBus core and DBus X11 launch
Status: RESOLVED FIXED
Alias: None
Product: dbus
Classification: Unclassified
Component: core (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Simon McVittie
QA Contact: John (J5) Palmieri
URL: http://git.collabora.co.uk/?p=user/sm...
Whiteboard: review+
Keywords: patch
Depends on:
Blocks: dbus-1.5
  Show dependency treegraph
 
Reported: 2010-08-30 03:41 UTC by Kristian Rietveld
Modified: 2011-11-02 10:04 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Handle failure to allocate error message in _read_subprocess_line_argv (957 bytes, patch)
2010-08-30 03:43 UTC, Kristian Rietveld
Details | Splinter Review
Check return value of XGetWindowProperty in x11_get_address (2.18 KB, patch)
2010-08-30 03:43 UTC, Kristian Rietveld
Details | Splinter Review
Handle failure to hex encode in handle_server_data_anonymous_mech (1.51 KB, patch)
2010-08-30 03:44 UTC, Kristian Rietveld
Details | Splinter Review
Verify that getsockname succeeded in _dbus_listen_tcp_socket (1.58 KB, patch)
2010-08-30 03:44 UTC, Kristian Rietveld
Details | Splinter Review
Handle failure to allocate error message in _read_subprocess_line_argv #2 (877 bytes, patch)
2010-09-21 05:19 UTC, Christian Dywan
Details | Splinter Review
Verify that getsockname succeeded in _dbus_listen_tcp_socket #2 (1.59 KB, patch)
2010-09-21 05:30 UTC, Christian Dywan
Details | Splinter Review
Free session file early in dbus-launch (545 bytes, patch)
2010-09-23 09:21 UTC, Christian Dywan
Details | Splinter Review
Free listen_fd in the error case (509 bytes, patch)
2010-09-23 09:22 UTC, Christian Dywan
Details | Splinter Review
Free envvar and argv in dbus-launch if OOM (564 bytes, patch)
2010-09-23 09:23 UTC, Christian Dywan
Details | Splinter Review
Handle failure to hex encode in handle_server_data_anonymous_mech #2 (1.56 KB, patch)
2010-10-20 07:53 UTC, Christian Dywan
Details | Splinter Review
dbus-launch: pass_info: always free strings on OOM (1.63 KB, patch)
2011-01-18 08:39 UTC, Simon McVittie
Details | Splinter Review
handle_server_data_anonymous_mech: remove unnecessary debug output (1.60 KB, patch)
2011-01-18 08:41 UTC, Simon McVittie
Details | Splinter Review
_dbus_listen_tcp_socket: avoid leaking listen_fd in unlikely circumstances (1.45 KB, patch)
2011-02-03 10:04 UTC, Simon McVittie
Details | Splinter Review

Description Kristian Rietveld 2010-08-30 03:41:37 UTC
Patches courtesy of Christian Dywan (on CC).  The patches should
apply cleanly to git master (tested).
Comment 1 Kristian Rietveld 2010-08-30 03:43:00 UTC
Created attachment 38279 [details] [review]
Handle failure to allocate error message in _read_subprocess_line_argv
Comment 2 Kristian Rietveld 2010-08-30 03:43:33 UTC
Created attachment 38280 [details] [review]
Check return value of XGetWindowProperty in x11_get_address
Comment 3 Kristian Rietveld 2010-08-30 03:44:01 UTC
Created attachment 38281 [details] [review]
Handle failure to hex encode in handle_server_data_anonymous_mech
Comment 4 Kristian Rietveld 2010-08-30 03:44:39 UTC
Created attachment 38282 [details] [review]
Verify that getsockname succeeded in _dbus_listen_tcp_socket
Comment 5 Thiago Macieira 2010-08-30 05:07:02 UTC
Review of attachment 38279 [details] [review]:

Can you report an OOM situation instead of saying that spawning failed?
Comment 6 Thiago Macieira 2010-08-30 05:08:45 UTC
Review of attachment 38280 [details] [review]:

Agreed.
Comment 7 Thiago Macieira 2010-08-30 05:11:27 UTC
Review of attachment 38281 [details] [review]:

Agreed.
Comment 8 Thiago Macieira 2010-08-30 05:12:15 UTC
Review of attachment 38282 [details] [review]:

Agreed, but check that result == -1.
Comment 9 Christian Dywan 2010-09-21 05:19:29 UTC
Created attachment 38840 [details] [review]
Handle failure to allocate error message in _read_subprocess_line_argv #2

(In reply to comment #5)
> Review of attachment 38279 [details] [review]:
> 
> Can you report an OOM situation instead of saying that spawning failed?

Updated.
Comment 10 Christian Dywan 2010-09-21 05:30:11 UTC
Created attachment 38841 [details] [review]
Verify that getsockname succeeded in _dbus_listen_tcp_socket #2

(In reply to comment #8)
> Review of attachment 38282 [details] [review]:
> 
> Agreed, but check that result == -1.

Indeed, gotta be careful not to confuse error codes of the two functions. Updated.
Comment 11 Christian Dywan 2010-09-23 09:21:25 UTC
Created attachment 38906 [details] [review]
Free session file early in dbus-launch
Comment 12 Christian Dywan 2010-09-23 09:22:24 UTC
Created attachment 38907 [details] [review]
Free listen_fd in the error case
Comment 13 Christian Dywan 2010-09-23 09:23:15 UTC
Created attachment 38908 [details] [review]
Free envvar and argv in dbus-launch if OOM
Comment 14 Will Thompson 2010-10-05 07:31:58 UTC
Review of attachment 38281 [details] [review]:

::: dbus/dbus-auth.c
@@ +1210,3 @@
+            if (_dbus_string_init (&encoded))
+              {
+                _dbus_string_hex_encode (&plaintext, 0, &encoded, 0);

I think 'encoded' gets leaked here; we should free it after the _dbus_verbose() call.
Comment 15 Christian Dywan 2010-10-20 07:53:48 UTC
Created attachment 39582 [details] [review]
Handle failure to hex encode in handle_server_data_anonymous_mech #2

(In reply to comment #14)
> Review of attachment 38281 [details] [review]:
> I think 'encoded' gets leaked here; we should free it after the _dbus_verbose()
> call.

You're right. Updated the patch.
Comment 16 Simon McVittie 2011-01-05 06:44:09 UTC
Review of attachment 38280 [details] [review]:

r+ from me too, applied to master as 79b4e478 for either 1.4.4 or 1.5.0.
Comment 17 Simon McVittie 2011-01-05 06:48:40 UTC
Review of attachment 38840 [details] [review]:

Looks good, commited as 14be9f73.
Comment 18 Simon McVittie 2011-01-05 06:52:48 UTC
Review of attachment 38841 [details] [review]:

committed, 68b1d6ad
Comment 19 Simon McVittie 2011-01-05 06:57:12 UTC
Review of attachment 38906 [details] [review]:

Applied, 916620ea
Comment 20 Simon McVittie 2011-01-05 08:18:19 UTC
Review of attachment 38908 [details] [review]:

review- for this one.

::: dbus-1.3.1/tools/dbus-launch.c
@@ +714,3 @@
+          {
+            free (envvar);
+            free (argv);

No, that frees the argument argv, which we don't own. You mean args (and if argv was const, the compiler wouldn't have let us get this wrong).

There's another similar case just above for OOM while allocating args[0], which Coverity didn't spot because it doesn't know that xstrdup() is malloc-like.

All of this is a bit academic since pass_info() can't return - it either self-destructs via execvp() or calls exit().
Comment 21 Simon McVittie 2011-01-05 08:34:47 UTC
Review of attachment 39582 [details] [review]:

The commit name is a bit wrong; the failure case is OOM, and success of hex-encoding still isn't checked here.

This seems a very tenuous situation:

- we're the server
- the client authenticates as anonymous
- the client supplies an arbitrary string for us to log, which might be an email address or not, but is meant to be UTF-8
- the client actually gives us non-UTF8
- we hex-encode something like "D-Bus 1.4.3" as 442d42757320312e342e33, and output "server: try '442d42757320312e342e33'" as verbose output

It's not at all clear to me why we need to verbose-output anything at all here.

FWIW, the corresponding client-side sends the hex-encoding of "libdbus 1.4.3". Havoc wrote:

   * We just send the dbus implementation info, like a user-agent or
   * something, because... why not. There's nothing guaranteed here
   * though, we could change it later.

To be honest I'd be inclined to fix this by just deleting the whole {} block containing @plaintext and @encoded.
Comment 22 Simon McVittie 2011-01-18 08:01:47 UTC
Review of attachment 38907 [details] [review]:

I think a more comprehensible fix would be to centralize the resource-freeing by replacing the "return -1" with "goto failed", instead of adding the dbus_free call above it.

However, this patch is equivalent to that, strictly speaking, because at that point in the function, ai has already been freed and NULLed, and there are no file descriptors that need closing. I've applied it to master, and I'll propose my version as an extra patch.
Comment 23 Simon McVittie 2011-01-18 08:39:34 UTC
Created attachment 42166 [details] [review]
dbus-launch: pass_info: always free strings on OOM

This doesn't really do anything, because we're about to exit anyway, but
it placates static analysis tools.

---

Regarding Comment #22:

> I'll propose my version as an extra patch.

r+ from wjt and pushed.
Comment 24 Simon McVittie 2011-01-18 08:41:27 UTC
Created attachment 42167 [details] [review]
handle_server_data_anonymous_mech: remove unnecessary debug output

(In reply to comment #21)
> To be honest I'd be inclined to fix this by just deleting the whole {} block
> containing @plaintext and @encoded.

So, yeah, that.

Doing a malloc and a hex-encoding pass just to produce a _dbus_verbose
message (i.e. a message that, in practice, nobody will see) seems like
overkill, and this block had incorrect error handling (not checking the
result of _dbus_string_init) which upsets static analysis tools.
Comment 25 Simon McVittie 2011-01-18 08:47:15 UTC
Two remaining patches are available in gitweb (see URL), reviews would be appreciated.

The handle_server_data_anonymous_mech patch is a potential crash, albeit vanishingly unlikely.

The other patch is entirely academic, but it shuts up static analysis tools (i.e. makes it easier to see the real bugs). We could merge it, or not.
Comment 26 Simon McVittie 2011-02-03 10:04:08 UTC
Created attachment 42904 [details] [review]
_dbus_listen_tcp_socket: avoid leaking listen_fd in unlikely circumstances

Here's another patch, this time for an unlikely memory leak. Again, review would be appreciated.
Comment 27 Cosimo Alfarano 2011-03-03 10:30:48 UTC
Review of attachment 42166 [details] [review]:

OK to me, not a dbus dev though
Comment 28 Cosimo Alfarano 2011-03-04 07:37:20 UTC
Review of attachment 42167 [details] [review]:

OK to me, not a dbus dev though
Comment 29 Simon McVittie 2011-05-25 08:14:51 UTC
(In reply to comment #27)
> OK to me, not a dbus dev though

(In reply to comment #28)
> OK to me, not a dbus dev though

Both applied in dbus-1.4 for 1.4.10, and will be merged to master for 1.5.2, based on the new review policy that nobody actually objected to. :-)

(In reply to comment #26)
> _dbus_listen_tcp_socket: avoid leaking listen_fd in unlikely circumstances

Still to be reviewed.
Comment 30 Will Thompson 2011-10-19 06:05:53 UTC
Comment on attachment 42904 [details] [review]
_dbus_listen_tcp_socket: avoid leaking listen_fd in unlikely circumstances

Review of attachment 42904 [details] [review]:
-----------------------------------------------------------------

Yup, this looks fine.
Comment 31 Simon McVittie 2011-11-02 10:04:03 UTC
Fixed in git for 1.4.18, 1.5.10


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.