Possible bug inside HTProfile_delete() after FTP download? from Steven Gray on 2002-10-17 (www-lib@w3.org from October to December 2002)

From: Steven Gray <sgray004@hotmail.com>
Date: Thu, 17 Oct 2002 15:59:01 -0700
To: www-lib@w3.org
Message-ID: <F104Z2K4xDh9vXsFFsA00000ce4@hotmail.com>

I have not used libwww extensively, so please excuse me if I am inaccurate 
with any of the following:

The setup:

Windows platform
libwww version 5.4.0 built as DLLs
NoCacheClient profile
Using HTLoadToFile with an "ftp://user:pwd@foo.bar/file" URL. Note, an 
identically coded HTTP request "http://foo.bar/file" does not cause this bug 
to occur.

The above FTP URL causes a memory access violation to occur within 
HTChannel_deleteAll() when I attempt cleanup via HTProfile_delete(). Here's 
what I think is happening:

1) HTHost_deleteAll() deletes all hosts. Once each host is deleted, the 
Windows debug C runtime fills the memory formerly occupied by the deleted 
host instances with 0xfeeefeee for just such occasions where future code 
might accidentally refer to deleted hosts.

2) After HTHost_deleteAll() is called, HTChannel_deleteAll() is called and 
when free_channel() attempts to close the input stream, the illegal memory 
violation occurs. This appears to be because the host referenced by the 
channel has already been deleted, so the channel points to a host filled 
with garbage (the 0xfeeefeee values).

3) HTHost_getReadNet() then uses the host's pipeline member (which is a 
pointer to 0xfeeefeee, aka bad memory), so HTList_firstObject() causes an 
invalid memory reference when it attempts to dereference 0xfeeefeee 
(host->pipeline).

For me, the bandaid solution was to modify the implementation of 
HTHost_getReadNet() with this ugly hack:

PUBLIC HTNet * HTHost_getReadNet(HTHost * host)
{
#ifdef WIN32 /* !!!yikes!!! */
   if (IsBadReadPtr(host->pipeline, 1))
      return NULL;
#endif
    return host ? (HTNet *) HTList_firstObject(host->pipeline) : NULL;
}

This appears to solve the problem as it prevents the dereferencing of an 
invalid (already freed) pointer. However, if this is a legitimate bug, I 
leave it to someone with a more intimate knowledge of the libwww source code 
to fix the root cause (i.e., why is channel_free() attempting to reference 
host structure instances that have already been deleted?).

Anyone please correct me for any inaccuracies I've portrayed in the above.

Cheers,
--Steven Gray
sgray004 @ hotmail.com




_________________________________________________________________
Unlimited Internet access -- and 2 months free!� Try MSN. 
http://resourcecenter.msn.com/access/plans/2monthsfree.asp

Received on Thursday, 17 October 2002 18:59:32 UTC