Home Explore Help
Register Sign In
devn00b
/
EQ2EMu
9
3
Fork 0
Files Issues 54
Labels Milestones
New Issue

#364 crash on linkdead character

Closed
opened 3 years ago by image · 2 comments
image commented 3 years ago 
==2378475==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e000bfbeb8 at pc 0x55555617739b bp 0x7fffffffaa20 sp 0x7fffffffaa10
READ of size 8 at 0x61e000bfbeb8 thread T0
08:04:11 I ZoneAuth  : Access Key: 1626350650, Character Name: Emagi, Account ID: 88, Client Data Version: 60114
08:04:11 I Zone      : Removing connection for client 'Emagi'.
08:04:11 I Zone      : Starting zone shutdown timers...
    #0 0x55555617739a in Client::GetPlayer() ../WorldServer/client.h:222
    #1 0x55555617739a in WorldDatabase::ToggleCharacterOnline(Client*, unsigned char) ../WorldServer/WorldDatabase.cpp:5270
    #2 0x5555559c951b in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3130
    #3 0x555555f80eef in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754
    #4 0x555555f85be6 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029
    #5 0x555555fa6918 in Client::Process(bool) ../WorldServer/client.cpp:2956
    #6 0x555555fa9673 in ClientList::Process() ../WorldServer/client.cpp:3241
    #7 0x55555637f858 in main ../WorldServer/net.cpp:458
    #8 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x55555575f41d in _start (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x20b41d)

0x61e000bfbeb8 is located 1592 bytes inside of 2656-byte region [0x61e000bfb880,0x61e000bfc2e0)
freed by thread T0 here:
    #0 0x7ffff767c025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025)
    #1 0x555555b0b4f9 in MutexList<Client*>::update(bool) (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x5b74f9)
    #2 0x5555559c94b7 in MutexList<Client*>::Remove(Client*, bool, unsigned int) ../WorldServer/MutexList.h:203
    #3 0x5555559c94b7 in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3117
    #4 0x555555f80eef in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754
    #5 0x555555f85be6 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029
    #6 0x555555fa6918 in Client::Process(bool) ../WorldServer/client.cpp:2956
    #7 0x555555fa9673 in ClientList::Process() ../WorldServer/client.cpp:3241
    #8 0x55555637f858 in main ../WorldServer/net.cpp:458
    #9 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7ffff767a947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
    #1 0x55555637f30e in main ../WorldServer/net.cpp:434
    #2 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/client.h:222 in Client::GetPlayer()
Shadow bytes around the buggy address:
  0x0c3c80177780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3c801777d0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c3c801777e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2378475==ABORTING
``` ==2378475==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e000bfbeb8 at pc 0x55555617739b bp 0x7fffffffaa20 sp 0x7fffffffaa10 READ of size 8 at 0x61e000bfbeb8 thread T0 08:04:11 I ZoneAuth : Access Key: 1626350650, Character Name: Emagi, Account ID: 88, Client Data Version: 60114 08:04:11 I Zone : Removing connection for client 'Emagi'. 08:04:11 I Zone : Starting zone shutdown timers... #0 0x55555617739a in Client::GetPlayer() ../WorldServer/client.h:222 #1 0x55555617739a in WorldDatabase::ToggleCharacterOnline(Client*, unsigned char) ../WorldServer/WorldDatabase.cpp:5270 #2 0x5555559c951b in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3130 #3 0x555555f80eef in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754 #4 0x555555f85be6 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029 #5 0x555555fa6918 in Client::Process(bool) ../WorldServer/client.cpp:2956 #6 0x555555fa9673 in ClientList::Process() ../WorldServer/client.cpp:3241 #7 0x55555637f858 in main ../WorldServer/net.cpp:458 #8 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #9 0x55555575f41d in _start (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x20b41d) 0x61e000bfbeb8 is located 1592 bytes inside of 2656-byte region [0x61e000bfb880,0x61e000bfc2e0) freed by thread T0 here: #0 0x7ffff767c025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025) #1 0x555555b0b4f9 in MutexList<Client*>::update(bool) (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x5b74f9) #2 0x5555559c94b7 in MutexList<Client*>::Remove(Client*, bool, unsigned int) ../WorldServer/MutexList.h:203 #3 0x5555559c94b7 in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3117 #4 0x555555f80eef in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754 #5 0x555555f85be6 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029 #6 0x555555fa6918 in Client::Process(bool) ../WorldServer/client.cpp:2956 #7 0x555555fa9673 in ClientList::Process() ../WorldServer/client.cpp:3241 #8 0x55555637f858 in main ../WorldServer/net.cpp:458 #9 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) previously allocated by thread T0 here: #0 0x7ffff767a947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947) #1 0x55555637f30e in main ../WorldServer/net.cpp:434 #2 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/client.h:222 in Client::GetPlayer() Shadow bytes around the buggy address: 0x0c3c80177780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c3c801777d0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd 0x0c3c801777e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2378475==ABORTING ```
image commented 3 years ago
Collaborator

Going to move ToggleCharacterOnline before the connected_clients.Remove to avoid bad memory handling

Going to move ToggleCharacterOnline before the connected_clients.Remove to avoid bad memory handling
image commented 3 years ago
Collaborator 
    #0 0x555555ed57b6 in Client::GetCurrentZone() ../WorldServer/client.cpp:3323
    #1 0x555555a1c1fe in ZoneServer::SendQuestUpdates(Client*, Spawn*) ../WorldServer/zoneserver.cpp:4056
    #2 0x555555e6ed74 in EQ2Emu_lua_AddQuestStepObtainItem(lua_State*) ../WorldServer/LuaFunctions.cpp:3851
    #3 0x5555569454d6 in luaD_precall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f14d6)
    #4 0x5555569687ae in luaV_execute (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x14147ae)
    #5 0x5555569457a6 in ccall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f17a6)
    #6 0x555556945823 in luaD_callnoyield (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f1823)
    #7 0x555556971f31 in f_call (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x141df31)
    #8 0x5555569444af in luaD_rawrunprotected (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f04af)
    #9 0x555556945fb8 in luaD_pcall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f1fb8)
    #10 0x555556972014 in lua_pcallk (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x141e014)
    #11 0x555555c40103 in LuaInterface::CallQuestFunction(Quest*, char const*, Spawn*, unsigned int) ../WorldServer/LuaInterface.cpp:426
    #12 0x555555ed889a in Client::SetPlayerQuest(Quest*, std::map<unsigned int, unsigned int, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, unsigned int> > >*) ../WorldServer/client.cpp:5488
    #13 0x5555561e6a7b in WorldDatabase::LoadCharacterQuestProgress(Client*) ../WorldServer/WorldDatabase.cpp:2592
    #14 0x5555561e7490 in WorldDatabase::LoadCharacterQuests(Client*) ../WorldServer/WorldDatabase.cpp:2662
    #15 0x555555f67a34 in Client::SendLoginInfo() ../WorldServer/client.cpp:351
    #16 0x555555fa6967 in Client::Process(bool) ../WorldServer/client.cpp:2932
    #17 0x555555a5e027 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3157
    #18 0x555555a70d37 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1385
    #19 0x555555a84169 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6846
    #20 0x7ffff7535608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
    #21 0x7ffff6f6d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x61e000bfbff0 is located 1904 bytes inside of 2656-byte region [0x61e000bfb880,0x61e000bfc2e0)
freed by thread T0 here:
    #0 0x7ffff767c025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025)
    #1 0x555555b1dffb in IsPointer<Client*>::Delete(Client*) ../WorldServer/MutexHelper.h:101
    #2 0x555555b1dffb in HandleDeletes<Client*>::CheckDeletes(bool) ../WorldServer/MutexHelper.h:184
    #3 0x555555b1dffb in MutexList<Client*>::update(bool) ../WorldServer/MutexList.h:261
    #4 0x5555559dc119 in MutexList<Client*>::Remove(Client*, bool, unsigned int) ../WorldServer/MutexList.h:203
    #5 0x5555559dc119 in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3118
    #6 0x555555f810e5 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754
    #7 0x555555f85ddc in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029
    #8 0x555555fa6b0e in Client::Process(bool) ../WorldServer/client.cpp:2956
    #9 0x555555fa9869 in ClientList::Process() ../WorldServer/client.cpp:3241
    #10 0x55555637fa4e in main ../WorldServer/net.cpp:458
    #11 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7ffff767a947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
    #1 0x55555637f504 in main ../WorldServer/net.cpp:434
    #2 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Thread T22 created by T0 here:
    #0 0x7ffff75a5805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x555555a2ecee in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308
    #2 0x55555586de34 in ZoneList::Get(unsigned int, bool) ../WorldServer/World.cpp:573
    #3 0x555555ed553e in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3309
    #4 0x55555623fb6b in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1774
    #5 0x555555f80a51 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9728
    #6 0x555555f85ddc in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029
    #7 0x555555fa6b0e in Client::Process(bool) ../WorldServer/client.cpp:2956
    #8 0x555555fa9869 in ClientList::Process() ../WorldServer/client.cpp:3241
    #9 0x55555637fa4e in main ../WorldServer/net.cpp:458
    #10 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/client.cpp:3323 in Client::GetCurrentZone()
Shadow bytes around the buggy address:
  0x0c3c801777a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c801777e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3c801777f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c3c80177800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80177840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2381105==ABORTING

need some additional protection for a returning linkdead character so we don't reload everything into the existing player

``` #0 0x555555ed57b6 in Client::GetCurrentZone() ../WorldServer/client.cpp:3323 #1 0x555555a1c1fe in ZoneServer::SendQuestUpdates(Client*, Spawn*) ../WorldServer/zoneserver.cpp:4056 #2 0x555555e6ed74 in EQ2Emu_lua_AddQuestStepObtainItem(lua_State*) ../WorldServer/LuaFunctions.cpp:3851 #3 0x5555569454d6 in luaD_precall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f14d6) #4 0x5555569687ae in luaV_execute (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x14147ae) #5 0x5555569457a6 in ccall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f17a6) #6 0x555556945823 in luaD_callnoyield (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f1823) #7 0x555556971f31 in f_call (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x141df31) #8 0x5555569444af in luaD_rawrunprotected (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f04af) #9 0x555556945fb8 in luaD_pcall (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x13f1fb8) #10 0x555556972014 in lua_pcallk (/mnt/Dev/github/eq2emu_public/EQ2EMu/server/eq2world+0x141e014) #11 0x555555c40103 in LuaInterface::CallQuestFunction(Quest*, char const*, Spawn*, unsigned int) ../WorldServer/LuaInterface.cpp:426 #12 0x555555ed889a in Client::SetPlayerQuest(Quest*, std::map<unsigned int, unsigned int, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, unsigned int> > >*) ../WorldServer/client.cpp:5488 #13 0x5555561e6a7b in WorldDatabase::LoadCharacterQuestProgress(Client*) ../WorldServer/WorldDatabase.cpp:2592 #14 0x5555561e7490 in WorldDatabase::LoadCharacterQuests(Client*) ../WorldServer/WorldDatabase.cpp:2662 #15 0x555555f67a34 in Client::SendLoginInfo() ../WorldServer/client.cpp:351 #16 0x555555fa6967 in Client::Process(bool) ../WorldServer/client.cpp:2932 #17 0x555555a5e027 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3157 #18 0x555555a70d37 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1385 #19 0x555555a84169 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6846 #20 0x7ffff7535608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 #21 0x7ffff6f6d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) 0x61e000bfbff0 is located 1904 bytes inside of 2656-byte region [0x61e000bfb880,0x61e000bfc2e0) freed by thread T0 here: #0 0x7ffff767c025 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x111025) #1 0x555555b1dffb in IsPointer<Client*>::Delete(Client*) ../WorldServer/MutexHelper.h:101 #2 0x555555b1dffb in HandleDeletes<Client*>::CheckDeletes(bool) ../WorldServer/MutexHelper.h:184 #3 0x555555b1dffb in MutexList<Client*>::update(bool) ../WorldServer/MutexList.h:261 #4 0x5555559dc119 in MutexList<Client*>::Remove(Client*, bool, unsigned int) ../WorldServer/MutexList.h:203 #5 0x5555559dc119 in ZoneServer::RemoveClientImmediately(Client*) ../WorldServer/zoneserver.cpp:3118 #6 0x555555f810e5 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9754 #7 0x555555f85ddc in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029 #8 0x555555fa6b0e in Client::Process(bool) ../WorldServer/client.cpp:2956 #9 0x555555fa9869 in ClientList::Process() ../WorldServer/client.cpp:3241 #10 0x55555637fa4e in main ../WorldServer/net.cpp:458 #11 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) previously allocated by thread T0 here: #0 0x7ffff767a947 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10f947) #1 0x55555637f504 in main ../WorldServer/net.cpp:434 #2 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) Thread T22 created by T0 here: #0 0x7ffff75a5805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x555555a2ecee in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308 #2 0x55555586de34 in ZoneList::Get(unsigned int, bool) ../WorldServer/World.cpp:573 #3 0x555555ed553e in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3309 #4 0x55555623fb6b in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1774 #5 0x555555f80a51 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9728 #6 0x555555f85ddc in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1029 #7 0x555555fa6b0e in Client::Process(bool) ../WorldServer/client.cpp:2956 #8 0x555555fa9869 in ClientList::Process() ../WorldServer/client.cpp:3241 #9 0x55555637fa4e in main ../WorldServer/net.cpp:458 #10 0x7ffff6e720b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/client.cpp:3323 in Client::GetCurrentZone() Shadow bytes around the buggy address: 0x0c3c801777a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c801777e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c3c801777f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd 0x0c3c80177800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80177840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2381105==ABORTING ``` need some additional protection for a returning linkdead character so we don't reload everything into the existing player
image referenced this issue from a commit 3 years ago
Procyon Update #2 - Linkdead fix, stability fixes, AE encounter NPC->player spell cast support...
image closed 3 years ago
Sign in to join this conversation.
Labels
Clear labels
Content LoginServer ModelViewer Needs Assignment On Hold P1 P2 P3 Recast User Input WorldServer after_dawn before_dawn bug crash duplicate enhancement invalid limitation missing client feature question security tech debt
No Label
Content
LoginServer
ModelViewer
Needs Assignment
On Hold
P1
P2
P3
Recast
User Input
WorldServer
after_dawn
before_dawn
bug
crash
duplicate
enhancement
invalid
limitation
missing client feature
question
security
tech debt
Milestone
Clear milestone
No Milestone
Procyon - July 2021
Assignee
Clear assignee
No assignee
1 Participants
Write Preview
Loading...
Cancel
Save
There is no content yet.