[bug #37292] http module 'double free's, breaks malloc and can cause SYN-ACK errors

[Philip]

URL:
  <http://savannah.gnu.org/bugs/?37292>

                 Summary: http module 'double free's, breaks malloc and can
cause SYN-ACK errors
                 Project: GNU GRUB
            Submitted by: philip007
            Submitted on: Fri 07 Sep 2012 08:52:32 AM GMT
                Category: Network
                Severity: Major
                Priority: 5 - Normal
              Item Group: Software Error
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 
                 Release: Bazaar - trunk
         Reproducibility: Every Time
         Planned Release: None

    _______________________________________________________

Details:

Running on grub-trunk rev 4574.
Attempting to: PXE boot Grub to boot various OS over NFS. Need
load_env/save_env to access env between boots on diskless systems.
Problem: save_env can only store to disk.
Workaround: Use (http) module as workaround and script my way out of it server
side.

Bug report: http module "double free's" or "alloc magic is broken" on "cat"
and "load_env".

How to setup:
PXE boot blobs constructed by grub-mknetdir. No grub.cfg config file is in
use. need tftp and http and working network. 
How to reproduce:
PowerOn Client: will tftp core.0, some modules and *.lst files.

In client console enter:
grub> insmod http
grub> cat (http)/somefilewhichexist

3/5 times result in "Double Free at 0x1ffd8b60". 
1/5 times result in "Alloc magic is broken at 0x1ffd65d0".
1/5 times result in "error: connection timeout".

cat always dumps file output (expect in last case), so I suspect the double
free bug lies in the termination/closure of the http connection/module.

The last error occur because http module always use src port 21550. If httpd
has not yet terminated its socket, an ACK on the sequence number from last
cycle is re-sent. This cause http module to time out as no valid SYN-ACK is
received. I suggest randomizing the source port number.

Attached is a pcap file with two cycles. First cycle has resulted in a "Double
free", second cycle resulted in the "connection timeout" case.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Fri 07 Sep 2012 08:52:32 AM GMT  Name: 50.pcap  Size: 459kB   By:
philip007

<http://savannah.gnu.org/bugs/download.php?file_id=26491>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?37292>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/