#364 crash on linkdead character

Closed
opened 3 years ago by image · 2 comments
image commented 3 years ago
==2378475==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e000bfbeb8 at pc 0x55555617739b bp 0x7fffffffaa20 sp 0x7fffffffaa10
READ of size 8 at 0x61e000bfbeb8 thread T0
08:04:11 I ZoneAuth  : Access Key: 1626350650, Character Name: Emagi, Account ID: 88, Client Data Version: 60114
08:04:11 I Zone      : Removing connection for client 'Emagi'.
08:04:11 I Zone      : Starting zone shutdown timers...
    #0 0x55555617739a in Client::GetPlayer() ../WorldServer/client.h:222
    #1 0x55555617739a in WorldDatabase::ToggleCharacterOnline(Client*, unsigned char) ../WorldServer/WorldDatabase.cpp:5270
    #2 0x5555559c951b in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3130
    #3 0x555555f80eef in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754
    #4 0x555555f85be6 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029
    #5 0x555555fa6918 in Client::Process(bool) ../WorldServer/client.cpp:2956
    #6 0x555555fa9673 in ClientList::Process() ../WorldServer/client.cpp:3241
    #7 0x55555637f858 in main ../WorldServer/net.cpp:458
    #8 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x55555575f41d in _start (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x20b41d)

0x61e000bfbeb8 is located 1592 bytes inside of 2656-byte region [0x61e000bfb880,0x61e000bfc2e0)
freed by thread T0 here:
    #0 0x7ffff767c025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025)
    #1 0x555555b0b4f9 in MutexList<Client*>::update(bool) (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x5b74f9)
    #2 0x5555559c94b7 in MutexList<Client*>::Remove(Client*, bool, unsigned int) ../WorldServer/MutexList.h:203
    #3 0x5555559c94b7 in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3117
    #4 0x555555f80eef in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754
    #5 0x555555f85be6 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029
    #6 0x555555fa6918 in Client::Process(bool) ../WorldServer/client.cpp:2956
    #7 0x555555fa9673 in ClientList::Process() ../WorldServer/client.cpp:3241
    #8 0x55555637f858 in main ../WorldServer/net.cpp:458
    #9 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7ffff767a947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
    #1 0x55555637f30e in main ../WorldServer/net.cpp:434
    #2 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/client.h:222 in Client::GetPlayer()
Shadow bytes around the buggy address:
  0x0c3c80177780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3c801777d0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c3c801777e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2378475==ABORTING
``` ==2378475==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e000bfbeb8 at pc 0x55555617739b bp 0x7fffffffaa20 sp 0x7fffffffaa10 READ of size 8 at 0x61e000bfbeb8 thread T0 08:04:11 I ZoneAuth : Access Key: 1626350650, Character Name: Emagi, Account ID: 88, Client Data Version: 60114 08:04:11 I Zone : Removing connection for client 'Emagi'. 08:04:11 I Zone : Starting zone shutdown timers... #0 0x55555617739a in Client::GetPlayer() ../WorldServer/client.h:222 #1 0x55555617739a in WorldDatabase::ToggleCharacterOnline(Client*, unsigned char) ../WorldServer/WorldDatabase.cpp:5270 #2 0x5555559c951b in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3130 #3 0x555555f80eef in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754 #4 0x555555f85be6 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029 #5 0x555555fa6918 in Client::Process(bool) ../WorldServer/client.cpp:2956 #6 0x555555fa9673 in ClientList::Process() ../WorldServer/client.cpp:3241 #7 0x55555637f858 in main ../WorldServer/net.cpp:458 #8 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #9 0x55555575f41d in _start (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x20b41d) 0x61e000bfbeb8 is located 1592 bytes inside of 2656-byte region [0x61e000bfb880,0x61e000bfc2e0) freed by thread T0 here: #0 0x7ffff767c025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025) #1 0x555555b0b4f9 in MutexList<Client*>::update(bool) (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x5b74f9) #2 0x5555559c94b7 in MutexList<Client*>::Remove(Client*, bool, unsigned int) ../WorldServer/MutexList.h:203 #3 0x5555559c94b7 in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3117 #4 0x555555f80eef in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754 #5 0x555555f85be6 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029 #6 0x555555fa6918 in Client::Process(bool) ../WorldServer/client.cpp:2956 #7 0x555555fa9673 in ClientList::Process() ../WorldServer/client.cpp:3241 #8 0x55555637f858 in main ../WorldServer/net.cpp:458 #9 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) previously allocated by thread T0 here: #0 0x7ffff767a947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947) #1 0x55555637f30e in main ../WorldServer/net.cpp:434 #2 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/client.h:222 in Client::GetPlayer() Shadow bytes around the buggy address: 0x0c3c80177780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c3c801777d0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd 0x0c3c801777e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2378475==ABORTING ```
image commented 3 years ago
Collaborator

Going to move ToggleCharacterOnline before the connected_clients.Remove to avoid bad memory handling

Going to move ToggleCharacterOnline before the connected_clients.Remove to avoid bad memory handling
image commented 3 years ago
Collaborator
    #0 0x555555ed57b6 in Client::GetCurrentZone() ../WorldServer/client.cpp:3323
    #1 0x555555a1c1fe in ZoneServer::SendQuestUpdates(Client*, Spawn*) ../WorldServer/zoneserver.cpp:4056
    #2 0x555555e6ed74 in EQ2Emu_lua_AddQuestStepObtainItem(lua_State*) ../WorldServer/LuaFunctions.cpp:3851
    #3 0x5555569454d6 in luaD_precall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f14d6)
    #4 0x5555569687ae in luaV_execute (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x14147ae)
    #5 0x5555569457a6 in ccall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f17a6)
    #6 0x555556945823 in luaD_callnoyield (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f1823)
    #7 0x555556971f31 in f_call (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x141df31)
    #8 0x5555569444af in luaD_rawrunprotected (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f04af)
    #9 0x555556945fb8 in luaD_pcall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f1fb8)
    #10 0x555556972014 in lua_pcallk (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x141e014)
    #11 0x555555c40103 in LuaInterface::CallQuestFunction(Quest*, char const*, Spawn*, unsigned int) ../WorldServer/LuaInterface.cpp:426
    #12 0x555555ed889a in Client::SetPlayerQuest(Quest*, std::map<unsigned int, unsigned int, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, unsigned int> > >*) ../WorldServer/client.cpp:5488
    #13 0x5555561e6a7b in WorldDatabase::LoadCharacterQuestProgress(Client*) ../WorldServer/WorldDatabase.cpp:2592
    #14 0x5555561e7490 in WorldDatabase::LoadCharacterQuests(Client*) ../WorldServer/WorldDatabase.cpp:2662
    #15 0x555555f67a34 in Client::SendLoginInfo() ../WorldServer/client.cpp:351
    #16 0x555555fa6967 in Client::Process(bool) ../WorldServer/client.cpp:2932
    #17 0x555555a5e027 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3157
    #18 0x555555a70d37 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1385
    #19 0x555555a84169 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6846
    #20 0x7ffff7535608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
    #21 0x7ffff6f6d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x61e000bfbff0 is located 1904 bytes inside of 2656-byte region [0x61e000bfb880,0x61e000bfc2e0)
freed by thread T0 here:
    #0 0x7ffff767c025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025)
    #1 0x555555b1dffb in IsPointer<Client*>::Delete(Client*) ../WorldServer/MutexHelper.h:101
    #2 0x555555b1dffb in HandleDeletes<Client*>::CheckDeletes(bool) ../WorldServer/MutexHelper.h:184
    #3 0x555555b1dffb in MutexList<Client*>::update(bool) ../WorldServer/MutexList.h:261
    #4 0x5555559dc119 in MutexList<Client*>::Remove(Client*, bool, unsigned int) ../WorldServer/MutexList.h:203
    #5 0x5555559dc119 in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3118
    #6 0x555555f810e5 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754
    #7 0x555555f85ddc in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029
    #8 0x555555fa6b0e in Client::Process(bool) ../WorldServer/client.cpp:2956
    #9 0x555555fa9869 in ClientList::Process() ../WorldServer/client.cpp:3241
    #10 0x55555637fa4e in main ../WorldServer/net.cpp:458
    #11 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7ffff767a947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
    #1 0x55555637f504 in main ../WorldServer/net.cpp:434
    #2 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Thread T22 created by T0 here:
    #0 0x7ffff75a5805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x555555a2ecee in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308
    #2 0x55555586de34 in ZoneList::Get(unsigned int, bool) ../WorldServer/World.cpp:573
    #3 0x555555ed553e in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3309
    #4 0x55555623fb6b in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1774
    #5 0x555555f80a51 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9728
    #6 0x555555f85ddc in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029
    #7 0x555555fa6b0e in Client::Process(bool) ../WorldServer/client.cpp:2956
    #8 0x555555fa9869 in ClientList::Process() ../WorldServer/client.cpp:3241
    #9 0x55555637fa4e in main ../WorldServer/net.cpp:458
    #10 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/client.cpp:3323 in Client::GetCurrentZone()
Shadow bytes around the buggy address:
  0x0c3c801777a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3c801777f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c3c80177800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2381105==ABORTING

need some additional protection for a returning linkdead character so we don't reload everything into the existing player

``` #0 0x555555ed57b6 in Client::GetCurrentZone() ../WorldServer/client.cpp:3323 #1 0x555555a1c1fe in ZoneServer::SendQuestUpdates(Client*, Spawn*) ../WorldServer/zoneserver.cpp:4056 #2 0x555555e6ed74 in EQ2Emu_lua_AddQuestStepObtainItem(lua_State*) ../WorldServer/LuaFunctions.cpp:3851 #3 0x5555569454d6 in luaD_precall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f14d6) #4 0x5555569687ae in luaV_execute (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x14147ae) #5 0x5555569457a6 in ccall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f17a6) #6 0x555556945823 in luaD_callnoyield (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f1823) #7 0x555556971f31 in f_call (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x141df31) #8 0x5555569444af in luaD_rawrunprotected (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f04af) #9 0x555556945fb8 in luaD_pcall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f1fb8) #10 0x555556972014 in lua_pcallk (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x141e014) #11 0x555555c40103 in LuaInterface::CallQuestFunction(Quest*, char const*, Spawn*, unsigned int) ../WorldServer/LuaInterface.cpp:426 #12 0x555555ed889a in Client::SetPlayerQuest(Quest*, std::map<unsigned int, unsigned int, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, unsigned int> > >*) ../WorldServer/client.cpp:5488 #13 0x5555561e6a7b in WorldDatabase::LoadCharacterQuestProgress(Client*) ../WorldServer/WorldDatabase.cpp:2592 #14 0x5555561e7490 in WorldDatabase::LoadCharacterQuests(Client*) ../WorldServer/WorldDatabase.cpp:2662 #15 0x555555f67a34 in Client::SendLoginInfo() ../WorldServer/client.cpp:351 #16 0x555555fa6967 in Client::Process(bool) ../WorldServer/client.cpp:2932 #17 0x555555a5e027 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3157 #18 0x555555a70d37 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1385 #19 0x555555a84169 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6846 #20 0x7ffff7535608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 #21 0x7ffff6f6d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) 0x61e000bfbff0 is located 1904 bytes inside of 2656-byte region [0x61e000bfb880,0x61e000bfc2e0) freed by thread T0 here: #0 0x7ffff767c025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025) #1 0x555555b1dffb in IsPointer<Client*>::Delete(Client*) ../WorldServer/MutexHelper.h:101 #2 0x555555b1dffb in HandleDeletes<Client*>::CheckDeletes(bool) ../WorldServer/MutexHelper.h:184 #3 0x555555b1dffb in MutexList<Client*>::update(bool) ../WorldServer/MutexList.h:261 #4 0x5555559dc119 in MutexList<Client*>::Remove(Client*, bool, unsigned int) ../WorldServer/MutexList.h:203 #5 0x5555559dc119 in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3118 #6 0x555555f810e5 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754 #7 0x555555f85ddc in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029 #8 0x555555fa6b0e in Client::Process(bool) ../WorldServer/client.cpp:2956 #9 0x555555fa9869 in ClientList::Process() ../WorldServer/client.cpp:3241 #10 0x55555637fa4e in main ../WorldServer/net.cpp:458 #11 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) previously allocated by thread T0 here: #0 0x7ffff767a947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947) #1 0x55555637f504 in main ../WorldServer/net.cpp:434 #2 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) Thread T22 created by T0 here: #0 0x7ffff75a5805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x555555a2ecee in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308 #2 0x55555586de34 in ZoneList::Get(unsigned int, bool) ../WorldServer/World.cpp:573 #3 0x555555ed553e in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3309 #4 0x55555623fb6b in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1774 #5 0x555555f80a51 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9728 #6 0x555555f85ddc in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029 #7 0x555555fa6b0e in Client::Process(bool) ../WorldServer/client.cpp:2956 #8 0x555555fa9869 in ClientList::Process() ../WorldServer/client.cpp:3241 #9 0x55555637fa4e in main ../WorldServer/net.cpp:458 #10 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/client.cpp:3323 in Client::GetCurrentZone() Shadow bytes around the buggy address: 0x0c3c801777a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c3c801777f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd 0x0c3c80177800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2381105==ABORTING ``` need some additional protection for a returning linkdead character so we don't reload everything into the existing player
Sign in to join this conversation.
Loading...
Cancel
Save
There is no content yet.