Bug 408137

Summary: QCA::TLS handshaken is emitted with a broken certificate instance leading to a crash
Product: [Frameworks and Libraries] qca Reporter: Sergey <rion4ik>
Component: generalAssignee: Ivan Romanov <drizt72>
Status: RESOLVED WORKSFORME    
Severity: normal CC: bradh, justin, Neustradamus
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:

Description Sergey 2019-05-31 08:42:53 UTC 
The above was noticed with Psi instant messenger on wakeup from sleep.
On handshaken() it tries to tls->peerCertificateChain().primary();
Crashes in copy constructor of QCA::Certificate

#6  0x00007f29cb340af9 in QCA::Algorithm::operator=(QCA::Algorithm const&) () from /usr/lib/libqca-qt5.so.2
#7  0x00007f29cb341d35 in QCA::Algorithm::Algorithm(QCA::Algorithm const&) () from /usr/lib/libqca-qt5.so.2
#8  0x00007f29cb32f502 in QCA::Certificate::Certificate(QCA::Certificate const&) () from /usr/lib/libqca-qt5.so.2
#9  0x00005630b910b153 in CertificateHelpers::checkCertificate(QCA::TLS*, XMPP::QCATLSHandler*, QString&, QByteArray&, QObject*, QString const&, QString const&) ()
#10 0x00005630b8d42f62 in PsiAccount::tls_handshaken() ()
#11 0x00005630b8c8ca07 in ?? ()
#12 0x00007f29c33981d7 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/libQt5Core.so.5
#13 0x00007f29c33981d7 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/libQt5Core.so.5
#14 0x00007f29cb372522 in QCA::TLS::Private::processNextAction() () from /usr/lib/libqca-qt5.so.2
#15 0x00007f29cb36c776 in ?? () from /usr/lib/libqca-qt5.so.2
#16 0x00007f29c33981d7 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib/libQt5Core.so.5
#17 0x00007f29c3398a3b in QObject::event(QEvent*) () from /usr/lib/libQt5Core.so.5
#18 0x00007f29c3898da4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib/libQt5Widgets.so.5
#19 0x00007f29c38a03c1 in QApplication::notify(QObject*, QEvent*) () from /usr/lib/libQt5Widgets.so.5
#20 0x00007f29c336d849 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib/libQt5Core.so.5
#21 0x00007f29c33c1d15 in QTimerInfoList::activateTimers() () from /usr/lib/libQt5Core.so.5

Assuming certicate chain can't be empty in this case it's likely the chain has a certificate with some dangling pointers.
Note Psi handles this in the same thread and there is no any Qt::QueuedConnection (it's visible from the stack above).

I currently can't provide more details except it happened on Manjaro Linux 18.0.4
Comment 1 Sergey 2020-09-01 16:57:30 UTC 
Well since I took maintainership of QCA fork, I tried to review it myself. But all the code looks pretty valid for me.
Moreover original the reporter told me it didn't crash for him for awhile. And same for me.

So likely it's neither QCA or Psi problem. It's something else.
I'm closing this issue since there is nothing more to investigate and it's better to have a coredump from debug version next time.