Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-979

RDP settings strings may be double-freed

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 1.1.0
    • 1.2.0
    • RDP
    • None

    Description

      As of 1.1.0, a double-free may occur during cleanup of an RDP connection if RemoteApp was used:

      guacd[6]: INFO:	Guacamole proxy daemon (guacd) version 1.1.0 started
guacd[6]: INFO:	Listening on host 0.0.0.0, port 4822
guacd[6]: INFO:	Creating new client for protocol "rdp"
guacd[6]: INFO:	Connection ID is "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6"
guacd[254]: INFO:	Security mode: NLA
guacd[254]: INFO:	Resize method: none
guacd[254]: INFO:	User "@c2acad05-7635-4de6-8741-661c65cce4a0" joined connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" (1 users now present)
guacd[254]: INFO:	Loading keymap "base"
guacd[254]: INFO:	Loading keymap "en-us-qwerty"
guacd[254]: INFO:	Connected to RDPDR 1.13 as client 0x0008
guacd[254]: INFO:	Connected to RDPDR 1.13 as client 0x0007
guacd[254]: INFO:	RDPDR user logged on
guacd[254]: INFO:	RDP server closed connection: Manually disconnected.
guacd[254]: INFO:	User "@c2acad05-7635-4de6-8741-661c65cce4a0" disconnected (0 users remain)
guacd[254]: INFO:	Last user of connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" disconnected
guacd[254]: INFO:	Internal RDP client disconnected
double free or corruption (fasttop)
guacd[6]: INFO:	Connection "$c97abf6d-0ed5-4be2-bec7-c0be3fcd9ac6" removed.

      The double-free occurs within guac_rdp_settings_free():

      Thread 2.15 "guacd" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fbcfbfff700 (LWP 556)]
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
...
#5  0x00007fbd005a60bd in guac_rdp_settings_free (settings=0x7fbcf400d200)
    at settings.c:1018
#6  0x00007fbd005a056d in guac_rdp_client_free_handler (client=<optimized out>)
    at client.c:179
#7  0x00007fbd029f5442 in guac_client_free (client=0x7fbcfc00b2f0)
    at client.c:195
#8  0x000055b87847e5c5 in guacd_client_free_thread (data=0x7fbd00dcac40)
    at proc.c:219
#9  0x00007fbd02606fa3 in start_thread (arg=<optimized out>)
    at pthread_create.c:486
#10 0x00007fbd01f434cf in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb)

      The relevant line is where settings->remote_app is being freed:

          /* Free settings strings */
...
    free(settings->remote_app); // <--- Line 1018
    free(settings->remote_app_args);
    free(settings->remote_app_dir);

      It appears that the RAIL channel implementation within FreeRDP 2.0.0 now automatically frees these strings, resulting in a double-free when we attempt to do the same.

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. GUACAMOLE-249 Update RDP plugin support to 2.0.0 releases

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          links to

          Web Link Windows RemoteApp auto sign off after 4 minutes

          Activity

            People

              mjumper Mike Jumper
              mjumper Mike Jumper
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: