search

EQEmu / Server

Open Source Fan-Based EverQuest Emulator Server project
https://docs.eqemu.io/
GNU General Public License v3.0
448 stars 416 forks source link

lua crafted packets crash when logsys is dumping packets #2680

Open xackery opened 1 year ago

xackery commented 1 year ago

Seems on build a590ea1d52b97c8d2274471aeb4c24b80fb5a8f3

Crash Report | Server [EverQuest Party] File [crash_soldungb_version_0_inst_id_0_port_7003_11304.log]  Chunk [1]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007fc06f715207 in __GI___wait4 (pid=23363, stat_loc=stat_loc@entry=0x0, options=options@entry=0, usage=usage@entry=0x0) at ../sysdeps/unix/sysv/linux/wait4.c:27
[Current thread is 1 (Thread 0x7fc06f5ebb00 (LWP 11304))]
#0  0x00007fc06f715207 in __GI___wait4 (pid=23363, stat_loc=stat_loc@entry=0x0, options=options@entry=0, usage=usage@entry=0x0) at ../sysdeps/unix/sysv/linux/wait4.c:27
#1  0x00007fc06f715187 in __GI___waitpid (pid=<optimized out>, stat_loc=stat_loc@entry=0x0, options=options@entry=0) at waitpid.c:38
#2  0x000055e9995e1788 in print_trace () at /home/eqemu/code/common/crash.cpp:180
#3  <signal handler called>
#4  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#5  0x000055e99905157a in fmt::v9::basic_string_view<char>::basic_string_view (s=0x9 <error: Cannot access memory at address 0x9>, this=<optimized out>) at /home/eqemu/code/submodules/fmt/include/fmt/core.h:356
#6  fmt::v9::detail::write<char, fmt::v9::appender> (out=..., value=0x9 <error: Cannot access memory at address 0x9>) at /home/eqemu/code/submodules/fmt/include/fmt/format.h:3324
#7  0x000055e99905ddfa in fmt::v9::detail::default_arg_formatter<char>::operator()<char const*> (value=<optimized out>, this=0x7ffea0161ba0) at /home/eqemu/code/submodules/fmt/include/fmt/format.h:3373
#8  fmt::v9::visit_format_arg<fmt::v9::detail::default_arg_formatter<char>, fmt::v9::basic_format_context<fmt::v9::appender, char> > (arg=..., vis=...) at /home/eqemu/code/submodules/fmt/include/fmt/core.h:1651
#9  fmt::v9::detail::vformat_to<char>(fmt::v9::detail::buffer<char>&, fmt::v9::basic_string_view<char>, fmt::v9::basic_format_args<fmt::v9::basic_format_context<std::condit
Crash Report | Server [EverQuest Party] File [crash_soldungb_version_0_inst_id_0_port_7003_11304.log]  Chunk [2]
ional<std::is_same<fmt::v9::type_identity<char>::type, char>::value, fmt::v9::appender, std::back_insert_iterator<fmt::v9::detail::buffer<fmt::v9::type_identity<char>::type> > >::type, fmt::v9::type_identity<char>::type> >, fmt::v9::detail::locale_ref)::format_handler::on_replacement_field(int, char const*) (id=<optimized out>, this=0x7ffea0161c90) at /home/eqemu/code/submodules/fmt/include/fmt/format.h:4110
#10 fmt::v9::detail::parse_replacement_field<char, fmt::v9::detail::vformat_to<char>(fmt::v9::detail::buffer<char>&, fmt::v9::basic_string_view<char>, fmt::v9::basic_format_args<fmt::v9::basic_format_context<std::conditional<std::is_same<fmt::v9::type_identity<char>::type, char>::value, fmt::v9::appender, std::back_insert_iterator<fmt::v9::detail::buffer<fmt::v9::type_identity<char>::type> > >::type, fmt::v9::type_identity<char>::type> >, fmt::v9::detail::locale_ref)::format_handler&>(char const*, char const*, fmt::v9::detail::vformat_to<char>(fmt::v9::detail::buffer<char>&, fmt::v9::basic_string_view<char>, fmt::v9::basic_format_args<fmt::v9::basic_format_context<std::conditional<std::is_same<fmt::v9::type_identity<char>::type, char>::value, fmt::v9::appender, std::back_insert_iterator<fmt::v9::detail::buffer<fmt::v9::type_identity<char>::type> > >::type, fmt::v9::type_identity<char>::type> >, fmt::v9::detail::locale_ref)::format_handler&) (begin=0x55e99981cd95 "}] [{:#06x}] Size [{}] {}", end=<optimized out>, handler=...) at /home/eqemu/code/submodules/fmt/include/fmt/core.h:2653
#11 0x000055e99906517e in fmt::v9::detail::parse_format_string<false, char, fmt::v9::detail::vformat_to<char>(fmt::v9::detail::buffer<char>&, fmt::v9::basic_string_view<char>, fmt::v9::basic_format_args<fmt::v9::basic_format_context<std::conditional<std::is_same<fmt::v9::type_identity<cha
Crash Report | Server [EverQuest Party] File [crash_soldungb_version_0_inst_id_0_port_7003_11304.log]  Chunk [3]
r>::type, char>::value, fmt::v9::appender, std::back_insert_iterator<fmt::v9::detail::buffer<fmt::v9::type_identity<char>::type> > >::type, fmt::v9::type_identity<char>::type> >, fmt::v9::detail::locale_ref)::format_handler>(fmt::v9::basic_string_view<char>, fmt::v9::detail::vformat_to<char>(fmt::v9::detail::buffer<char>&, fmt::v9::basic_string_view<char>, fmt::v9::basic_format_args<fmt::v9::basic_format_context<std::conditional<std::is_same<fmt::v9::type_identity<char>::type, char>::value, fmt::v9::appender, std::back_insert_iterator<fmt::v9::detail::buffer<fmt::v9::type_identity<char>::type> > >::type, fmt::v9::type_identity<char>::type> >, fmt::v9::detail::locale_ref)::format_handler&&) (handler=..., format_str=...) at /home/eqemu/code/submodules/fmt/include/fmt/core.h:2688
#12 fmt::v9::detail::vformat_to<char> (buf=..., fmt=..., args=..., loc=...) at /home/eqemu/code/submodules/fmt/include/fmt/format.h:4136
#13 0x000055e9997f4d39 in fmt::v9::vformat[abi:cxx11](fmt::v9::basic_string_view<char>, fmt::v9::basic_format_args<fmt::v9::basic_format_context<fmt::v9::appender, char> >) (fmt=..., args=...) at /home/eqemu/code/submodules/fmt/include/fmt/core.h:1715
#14 0x000055e9996c727c in fmt::v9::format<char const*, unsigned short, unsigned int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > (fmt=...) at /home/eqemu/code/submodules/fmt/include/fmt/core.h:1982
#15 EQ::Net::EQStream::QueuePacket (this=0x55e99b270720, p=0x55e99ae1d430, ack_req=<optimized out>) at /home/eqemu/code/common/net/eqstream.cpp:69
#16 0x000055e9996c4fa0 in EQ::Net::EQStream::FastQueuePacket (this=<optimized out>, p=0x7ffea0162258, ack_req=<optimized out>) at /home/eqemu/code/common/net/eqstream.cpp:109
#17 0x000055e9996a9826 in StructStrategy::PassEncoder (ack_req=<o
Crash Report | Server [EverQuest Party] File [crash_soldungb_version_0_inst_id_0_port_7003_11304.log]  Chunk [4]
ptimized out>, dest=..., p=<optimized out>) at /home/eqemu/code/common/struct_strategy.cpp:55
#18 StructStrategy::Encode (this=<optimized out>, p=<optimized out>, dest=std::shared_ptr<EQStreamInterface> (use count 4, weak count 0) = {...}, ack_req=<optimized out>) at /home/eqemu/code/common/struct_strategy.cpp:24
#19 0x000055e99962f053 in EQStreamProxy::FastQueuePacket (this=<optimized out>, p=<optimized out>, ack_req=<optimized out>) at /home/eqemu/code/common/eq_stream_proxy.cpp:52
#20 0x000055e99962e2f0 in EQStreamProxy::QueuePacket (this=0x55e99adf2700, p=<optimized out>, ack_req=<optimized out>) at /home/eqemu/code/common/eq_stream_proxy.cpp:46
#21 0x000055e9990ecaf7 in luabind::detail::invoke_member<void (Lua_Client::*)(Lua_Packet), boost::mpl::vector3<void, Lua_Client&, Lua_Packet>, luabind::detail::null_type> (L=0x55e99ada0240, self=..., ctx=..., f=@0x55e99b285798: (void (Lua_Client::*)(Lua_Client * const, Lua_Packet)) 0x55e9990ad770 <Lua_Client::QueuePacket(Lua_Packet)>) at /home/eqemu/code/libs/luabind/luabind/detail/call.hpp:287
#22 0x000055e9990ec70c in luabind::detail::invoke_member<void (Lua_Client::*)(Lua_Packet, bool), boost::mpl::vector4<void, Lua_Client&, Lua_Packet, bool>, luabind::detail::null_type> (L=0x55e99ada0240, self=..., ctx=..., f=@0x55e99b2858c8: (void (Lua_Client::*)(Lua_Client * const, Lua_Packet, bool)) 0x55e9990ad7a0 <Lua_Client::QueuePacket(Lua_Packet, bool)>) at /home/eqemu/code/libs/luabind/luabind/detail/call.hpp:277
#23 0x000055e9990ec35c in luabind::detail::invoke_member<void (Lua_Client::*)(Lua_Packet, bool, int), boost::mpl::vector5<void, Lua_Client&, Lua_Packet, bool, int>, luabind::detail::null_type> (L=0x55e99ada0240, self=..., ctx=..., f=@0x55e99b2859c8: (void (Lua_Client::*)(Lua_Client * const, Lua_Packet, bool, int)) 0x55e9
Crash Report | Server [EverQuest Party] File [crash_soldungb_version_0_inst_id_0_port_7003_11304.log]  Chunk [5]
990ad7d0 <Lua_Client::QueuePacket(Lua_Packet, bool, int)>) at /home/eqemu/code/libs/luabind/luabind/detail/call.hpp:277
#24 0x000055e9990ebf8c in luabind::detail::invoke_member<void (Lua_Client::*)(Lua_Packet, bool, int, int), boost::mpl::vector6<void, Lua_Client&, Lua_Packet, bool, int, int>, luabind::detail::null_type> (L=L@entry=0x55e99ada0240, self=..., ctx=..., f=@0x55e99b285ac8: (void (Lua_Client::*)(Lua_Client * const, Lua_Packet, bool, int, int)) 0x55e9990ad800 <Lua_Client::QueuePacket(Lua_Packet, bool, int, int)>) at /home/eqemu/code/libs/luabind/luabind/detail/call.hpp:277
#25 0x000055e9990ec295 in luabind::detail::invoke0<void (Lua_Client::*)(Lua_Packet, bool, int, int), boost::mpl::vector6<void, Lua_Client&, Lua_Packet, bool, int, int>, luabind::detail::null_type, boost::is_void<void> > (policies=..., f=@0x55e99b285ac8: (void (Lua_Client::*)(Lua_Client * const, Lua_Packet, bool, int, int)) 0x55e9990ad800 <Lua_Client::QueuePacket(Lua_Packet, bool, int, int)>, ctx=..., self=..., L=0x55e99ada0240) at /home/eqemu/code/libs/luabind/luabind/detail/call.hpp:75
#26 luabind::detail::invoke<void (Lua_Client::*)(Lua_Packet, bool, int, int), boost::mpl::vector6<void, Lua_Client&, Lua_Packet, bool, int, int>, luabind::detail::null_type> (policies=..., f=@0x55e99b285ac8: (void (Lua_Client::*)(Lua_Client * const, Lua_Packet, bool, int, int)) 0x55e9990ad800 <Lua_Client::QueuePacket(Lua_Packet, bool, int, int)>, ctx=..., self=..., L=0x55e99ada0240) at /home/eqemu/code/libs/luabind/luabind/detail/call.hpp:97
#27 luabind::detail::function_object_impl<void (Lua_Client::*)(Lua_Packet, bool, int, int), boost::mpl::vector6<void, Lua_Client&, Lua_Packet, bool, int, int>, luabind::detail::null_type>::entry_point (L=0x55e99ada0240) at /home/eqemu/code/libs/luabind/luabind/make_functi
Crash Report | Server [EverQuest Party] File [crash_soldungb_version_0_inst_id_0_port_7003_11304.log]  Chunk [6]
on.hpp:63
#28 0x00007fc0702ded69 in luaD_precall (L=L@entry=0x55e99ada0240, func=func@entry=0x55e99ada0500, nresults=nresults@entry=0) at ldo.c:320
#29 0x00007fc0702e9aed in luaV_execute (L=L@entry=0x55e99ada0240, nexeccalls=nexeccalls@entry=1) at lvm.c:591
#30 0x00007fc0702df2e5 in luaD_call (L=0x55e99ada0240, func=0x55e99ada04d0, nResults=<optimized out>) at ldo.c:378
#31 0x00007fc0702de62e in luaD_rawrunprotected (L=L@entry=0x55e99ada0240, f=f@entry=0x7fc0702d9d80 <f_call>, ud=ud@entry=0x7ffea01627a0) at ldo.c:116
#32 0x00007fc0702df47d in luaD_pcall (L=L@entry=0x55e99ada0240, func=func@entry=0x7fc0702d9d80 <f_call>, u=u@entry=0x7ffea01627a0, old_top=32, ef=<optimized out>) at ldo.c:464
#33 0x00007fc0702db148 in lua_pcall (L=0x55e99ada0240, nargs=nargs@entry=1, nresults=nresults@entry=1, errfunc=errfunc@entry=0) at lapi.c:821
#34 0x000055e9992a9911 in LuaParser::_EventNPC (this=0x55e999be44a0 <LuaParser::Instance()::inst>, package_name=..., evt=EVENT_SAY, npc=0x55e99b0d1040, init=0x55e99b29e7b0, data="Hail, a Wizard", extra_data=0, extra_pointers=0x0, l_func=0x0) at /home/eqemu/code/zone/lua_parser.cpp:388
#35 0x000055e9992a9d98 in LuaParser::EventNPC (this=0x55e999be44a0 <LuaParser::Instance()::inst>, evt=EVENT_SAY, npc=0x55e99b0d1040, init=0x55e99b29e7b0, data=..., extra_data=0, extra_pointers=0x0) at /home/eqemu/code/zone/lua_parser.cpp:339
#36 0x000055e9994b0ccd in QuestParserCollection::EventNPCLocal (this=<optimized out>, evt=EVENT_SAY, npc=0x55e99b0d1040, init=0x55e99b29e7b0, data=..., extra_data=0, extra_pointers=0x0) at /home/eqemu/code/zone/quest_parser_collection.cpp:327
#37 0x000055e9994b12d2 in QuestParserCollection::EventNPC (this=this@entry=0x55e99ad9fcc0, evt=evt@entry=EVENT_SAY, npc=npc@entry=0x55e99b0d1040, init=init@entry=0x55e99b29e7b0, data="Hail
Crash Report | Server [EverQuest Party] File [crash_soldungb_version_0_inst_id_0_port_7003_11304.log]  Chunk [7]
, a Wizard", extra_data=extra_data@entry=0, extra_pointers=0x0) at /home/eqemu/code/zone/quest_parser_collection.cpp:305
#38 0x000055e998da4657 in Client::ChannelMessageReceived (this=0x55e99b29e7b0, chan_num=<optimized out>, language=<optimized out>, lang_skill=<optimized out>, orig_message=<optimized out>, targetname=<optimized out>, is_silent=false) at /home/eqemu/code/zone/client.cpp:1211
#39 0x000055e998dd5468 in Client::Handle_OP_ChannelMessage (this=<optimized out>, app=0x55e99af76740) at /home/eqemu/code/zone/client_packet.cpp:4229
#40 0x000055e998e0bc06 in Client::HandlePacket (this=this@entry=0x55e99b29e7b0, app=app@entry=0x55e99af76740) at /home/eqemu/code/zone/client_packet.cpp:503
#41 0x000055e998e2aae3 in Client::Process (this=0x55e99b29e7b0) at /home/eqemu/code/zone/client_process.cpp:582
#42 0x000055e999037085 in EntityList::MobProcess (this=this@entry=0x55e999bfdec0 <entity_list>) at /home/eqemu/code/zone/entity.cpp:531
#43 0x000055e9992dbee0 in operator() (__closure=0x55e99b119e10, t=<optimized out>) at /home/eqemu/code/zone/main.cpp:571
#44 0x000055e9992dc5af in std::function<void (EQ::Timer*)>::operator()(EQ::Timer*) const (__args#0=<optimized out>, this=<optimized out>) at /usr/include/c++/10/bits/std_function.h:622
#45 EQ::Timer::Execute (this=<optimized out>) at /home/eqemu/code/zone/../common/net/../event/timer.h:61
#46 EQ::Timer::Start(unsigned long, bool)::{lambda(uv_timer_s*)#1}::operator()(uv_timer_s*) const (handle=<optimized out>, __closure=0x0) at /home/eqemu/code/zone/../common/net/../event/timer.h:38
#47 EQ::Timer::Start(unsigned long, bool)::{lambda(uv_timer_s*)#1}::_FUN(uv_timer_s*) () at /home/eqemu/code/zone/../common/net/../event/timer.h:39
#48 0x000055e9997dc10d in uv__run_timers (loop=loop@entry=0x7fc06f5eb7b0) at /home/eqemu/code
Crash Report | Server [EverQuest Party] File [crash_soldungb_version_0_inst_id_0_port_7003_11304.log]  Chunk [8]
/submodules/libuv/src/timer.c:178
#49 0x000055e9997df732 in uv_run (loop=0x7fc06f5eb7b0, mode=mode@entry=UV_RUN_DEFAULT) at /home/eqemu/code/submodules/libuv/src/unix/core.c:393
#50 0x000055e998d06ef6 in EQ::EventLoop::Run (this=<optimized out>) at /home/eqemu/code/zone/../common/net/../event/event_loop.h:25
#51 main (argc=<optimized out>, argv=<optimized out>) at /home/eqemu/code/zone/main.cpp:600
[Inferior 1 (process 11304) detached]
xackery commented 1 year ago

Further investigation..

    local pack = Packet(outOpcode, 2, true)
    pack:SetRawOpcode(outOpcode)
    pack:WriteInt16(outOpcode)
    e.other:Say("Test1")
    e.other:QueuePacket(pack)
    e.other:Say("Test2")

setting the raw opcode makes the QueuePacket line report attached image image

Akkadius commented 1 year ago

Are you able to dump the variables before they hit the logging function at line eqstream.cpp:69 ?