[Freeciv-Dev] [bug #19814] Free'd ruleset structures accessed when changing ruleset

[pepeto]

Update of bug #19814 (project freeciv):

  Status:None => Duplicate  
 Open/Closed:Open => Closed 

___

Follow-up Comment #2:

Discussion is continuing at bug #20517


___

Reply to this item at:

  

___
  Message posté via/par Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19814] Free'd ruleset structures accessed when changing ruleset

[pepeto]

Follow-up Comment #1, bug #19814 (project freeciv):

See also bug #20517

___

Reply to this item at:

  

___
  Message posté via/par Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19814] Free'd ruleset structures accessed when changing ruleset

[Jacob Nevins]

URL:
  

 Summary: Free'd ruleset structures accessed when changing
ruleset
 Project: Freeciv
Submitted by: jtn
Submitted on: Fri Jun 15 20:39:30 2012
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
  Status: None
 Assigned to: None
Originator Email: 
 Open/Closed: Open
 Release: S2_3 r21191
 Discussion Lock: Any
Operating System: Any
 Planned Release: 

___

Details:

Spotted by pepeto's valgrind in bug #19800:

load_rulesets() calls game_ruleset_free(), which frees ruleset structures, and
shortly afterwards calls reset_player_nations(), which eventually calls
package_player_info(), which as part of its work calls government_number(),
which follows pointers from the player structure to the previously freed
government structures.
(package_player_info() also calls all sorts of other game functions which I
fear might try to access freed ruleset structures, although I didn't spot
any.)

The obvious fix is to swap the order of the two calls made by
load_rulesets().

However, I'm not sure how worried to be about those dangling government
pointers left in player structures over the ruleset reload -- does something
clear them down?

Here's the relevant bit of the Valgrind log from bug #19800:


pepeto: 'rulesetdir multiplayer
'
2: Ruleset directory set to "multiplayer"
2: Loading rulesets.
==32115== Invalid read of size 4
==32115==at 0x8125F88: government_number (government.c:93)
==32115==by 0x80B779F: package_player_info (plrhand.c:872)
==32115==by 0x80B7EE7: send_player_info_c_real (plrhand.c:717)
==32115==by 0x80B8010: send_player_info_c (plrhand.c:690)
==32115==by 0x80C7A7B: load_rulesets (ruleset.c:3968)
==32115==by 0x80571FE: set_rulesetdir (stdinhand.c:3694)
==32115==by 0x805CF1F: handle_stdin_input_real.part.15 (stdinhand.c:4124)
==32115==by 0x805F04F: read_init_script_real (stdinhand.c:1196)
==32115==by 0x805C578: handle_stdin_input_real.part.15 (stdinhand.c:1113)
==32115==by 0x8101147: handle_chat_msg_req (handchat.c:343)
==32115==by 0x80B1E9E: server_handle_packet (hand_gen.c:40)
==32115==by 0x804FEC1: server_packet_input (srv_main.c:1498)
==32115==  Address 0x43391a0 is 0 bytes inside a block of size 1,344 free'd
==32115==at 0x402B06C: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==32115==by 0x8126B7C: governments_free (government.c:536)
==32115==by 0x8125731: game_ruleset_free (game.c:493)
==32115==by 0x80C7A54: load_rulesets (ruleset.c:3983)
==32115==by 0x80571FE: set_rulesetdir (stdinhand.c:3694)
==32115==by 0x805CF1F: handle_stdin_input_real.part.15 (stdinhand.c:4124)
==32115==by 0x805F04F: read_init_script_real (stdinhand.c:1196)
==32115==by 0x805C578: handle_stdin_input_real.part.15 (stdinhand.c:1113)
==32115==by 0x8101147: handle_chat_msg_req (handchat.c:343)
==32115==by 0x80B1E9E: server_handle_packet (hand_gen.c:40)
==32115==by 0x804FEC1: server_packet_input (srv_main.c:1498)
==32115==by 0x80DF00D: server_sniff_all_input (sernet.c:448)
==32115== 
2: Ruleset: 'generator' has been set to "Island-based" (ISLAND).





___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev