Bug 136390

Summary: Yahoo duplicate login causes NULL pointer dereference
Product: [Unmaintained] kopete Reporter: Matt Seitz <seitz>
Component: Yahoo PluginAssignee: Kopete Developers <kopete-bugs-null>
Status: RESOLVED FIXED    
Severity: crash    
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: RedHat Enterprise Linux   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: About Kopete screen capture
"configure" command output log
debug output and backtrace

Description Matt Seitz 2006-10-27 18:23:26 UTC 
Version:           0.12.2 (using KDE KDE 3.5.5)
Installed from:    RedHat RPMs
Compiler:          gcc (GCC) 3.4.6 20060404 (Red Hat 3.4.6-3) 
OS:                Linux

I found a NULL pointer dereference in "protocols/yahoo/libkyahoo/yahooclientstream.cpp":

I have built Kopete 0.12.2 using kdelibs-3.3.1-6.RHEL4 on my CentOS 4 Linux (a clone of RHEL 4) system.  It is working well, except I get a segfault when I am connected to Yahoo!, and I then connect to Yahoo! from another system.

With some help from the list, I compiled a debug version and ran it under GDB.  That's how I found the problem:


void ClientStream::cp_outgoingData( const QByteArray& outgoingBytes )
{
    // take formatted bytes from CoreProtocol and put them on the wire
    kdDebug(YAHOO_RAW_DEBUG) << k_funcinfo << "[data size: " << outgoingBytes.size() << "]" << endl;
    //cs_dump( outgoingBytes );
    d->bs->write( outgoingBytes );
}

The segfault happens on the "d->bs->write( outgoingBytes );" statement.  At this point, "d->bs" is NULL.

Looking at the call stack, it appears this originated with a call to "Client::sendPing()".
Comment 1 Matt Seitz 2006-10-27 18:26:33 UTC 
Created attachment 18289 [details]
About Kopete screen capture
Comment 2 Matt Rogers 2006-10-27 19:36:30 UTC 
Please provide the backtrace of the crash. (Just paste it into the comment box)
Comment 3 Matt Seitz 2006-10-28 03:29:21 UTC 
Valgrind stack dump:

==28451==
==28451== Invalid read of size 4
==28451==    at 0x58131CC: ClientStream::cp_outgoingData(QMemArray<char> const&) (yahooclientstream.cpp:304)
==28451==    by 0x5813D1C: ClientStream::qt_invoke(int, QUObject*) (yahooclientstream.moc:164)
==28451==    by 0x698642F: QObject::activate_signal(QConnectionList*, QUObject*) (in /usr/lib/qt-3.3/lib/libqt-mt.so.3.3.3)
==28451==    by 0x581BE7B: CoreProtocol::outgoingData(QMemArray<char> const&) (coreprotocol.moc:104)
==28451==    by 0x581B563: CoreProtocol::outgoingTransfer(Transfer*) (coreprotocol.cpp:141)
==28451==    by 0x58130EB: ClientStream::write(Transfer*) (yahooclientstream.cpp:254)
==28451==    by 0x58067E2: Client::send(Transfer*) (client.cpp:731)
==28451==    by 0x580AF85: Task::send(Transfer*) (task.cpp:182)
==28451==    by 0x58361EF: PingTask::onGo() (pingtask.cpp:43)
==28451==    by 0x580AD2F: Task::go(bool) (task.cpp:122)
==28451==    by 0x580553A: Client::sendPing() (client.cpp:419)
==28451==    by 0x58098B9: Client::qt_invoke(int, QUObject*) (client.moc:899)
==28451==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Comment 4 Matt Seitz 2006-10-28 03:32:42 UTC 
An easy way to reproduce the problem on a single system is:

1.  Use Kopete to connect to Yahoo!
2.  Go to the web version of Yahoo Messsenger and connect from there http://messenger.yahoo.com/webmsgr/fmsgr.php 
3.  Kopete will report the duplicate connection.  Close the alert box.
4.  Wait about a minute for the segfault to occur
Comment 5 Andre Duffeck 2006-11-01 12:11:50 UTC 
I can't reproduce. Could you please also post the debug output before the crash?
Comment 6 Matt Seitz 2006-11-01 21:57:33 UTC 
Is this the output you mean?

QMetaObject::findSignal:ClientStream: Conflict with Stream::readyRead()
Transfer ACCEPTED by: LoginTask
Transfer ACCEPTED by: LoginTask
Transfer ACCEPTED by: ListTask
Transfer ACCEPTED by: ListTask
CLIENT: SendPictureTask: Task::done()
CLIENT: SendPictureTask: emitting finished
CLIENT: SendPictureTask: Task::done()
CLIENT: SendPictureTask: emitting finished
CLIENT: SendPictureTask: Task::done()
CLIENT: SendPictureTask: emitting finished
CLIENT: SendPictureTask: Task::done()
CLIENT: SendPictureTask: emitting finished
CLIENT: SendPictureTask: Task::done()
CLIENT: SendPictureTask: emitting finished
CLIENT: SendPictureTask: Task::done()
CLIENT: SendPictureTask: emitting finished
CLIENT: SendPictureTask: Task::done()
CLIENT: SendPictureTask: emitting finished
CLIENT: SendPictureTask: Task::done()
CLIENT: SendPictureTask: emitting finished
CLIENT: SendPictureTask: Task::done()
CLIENT: SendPictureTask: emitting finished
CLIENT: SendPictureTask: Task::done()
CLIENT: SendPictureTask: emitting finished
Transfer ACCEPTED by: StatusNotifierTask
Transfer ACCEPTED by: MailNotifierTask
QGArray::find: Index 0 out of range
Transfer ACCEPTED by: StatusNotifierTask
CLIENT: Task: Task::done()
CLIENT: Task: emitting finished
QObject::disconnect: No such signal Client::gotBuddyIconRequest(const QString&)
Transfer ACCEPTED by: StatusNotifierTask
Comment 7 Andre Duffeck 2006-11-02 13:23:45 UTC 
basically yes. but you'd have to recompile kopete with debug enabled (./configure --enable-debug=full) in order to make it produce helpful information.
Comment 8 Matt Seitz 2006-11-02 23:00:37 UTC 
Created attachment 18372 [details]
"configure" command output log

I did use "enable-debug=full".	See the attached config.log.
Comment 9 Andre Duffeck 2006-11-03 20:07:27 UTC 
sorry, i guess i wasn't clear enough. What i want is the debug output of kopete before it crashes. But in order to make that output helpful you first have to recompile kopete with --enable-debug. Thanks.
Comment 10 Matt Seitz 2006-11-04 01:38:00 UTC 
The steps I performed to produce the output in Comment 6 were:

1.  cd /opt/seitz/kopete/build

2.  ../kopete-0.12.2-seitz/configure --prefix=/opt/seitz/kopete --enable-debug=full

3.  make clean && make && make install

4.  /opt/seitz/koptete/bin/kopete --nofork

I then copied all the terminal output from launching kopete until it crashed.

What step am I missing?
Comment 11 Matt Seitz 2006-11-06 18:28:19 UTC 
Created attachment 18441 [details]
debug output and backtrace

I don't know what I did wrong in Comment 6.  But after I went ahead and did a
full rebuild, I now see much, much more debug output.  I'm attaching a copy
along with the back trace.
Comment 12 Andre Duffeck 2006-11-08 12:15:28 UTC 
SVN commit 603246 by duffeck:

That should fix the crash after duplicate login.
BUG: 136390


 M  +4 -1      client.cpp  


--- branches/KDE/3.5/kdenetwork/kopete/protocols/yahoo/libkyahoo/client.cpp #603245:603246
@@ -258,6 +258,9 @@
 		setStatus( d->statusOnConnect );
 		m_pingTimer->start( 60 * 1000 );
 		initTasks();
+	} else {
+		d->active = false;
+		close();
 	}
 
 	kdDebug(YAHOO_RAW_DEBUG) << k_funcinfo << "Emitting loggedIn" << endl;
@@ -752,7 +755,7 @@
 	QObject::connect( d->statusTask, SIGNAL( stealthStatusChanged( const QString&, Yahoo::StealthStatus ) ), 
 				SIGNAL( stealthStatusChanged( const QString&, Yahoo::StealthStatus ) ) );
 	QObject::connect( d->statusTask, SIGNAL( loginResponse( int, const QString& ) ), 
-				SIGNAL( loggedIn( int, const QString& ) ) );
+				SLOT( slotLoginResponse( int, const QString& ) ) );
 	QObject::connect( d->statusTask, SIGNAL( authorizationRejected( const QString&, const QString& ) ), 
 				SIGNAL( authorizationRejected( const QString&, const QString& ) ) );
 	QObject::connect( d->statusTask, SIGNAL( authorizationAccepted( const QString& ) ),
Comment 13 Matt Seitz 2006-12-21 00:37:32 UTC 
I've applied the changes to my build, and the problem appears fixed.