Hercules is a collaborative software development project revolving around the creation of a robust massively multiplayer online role playing game (MMORPG) server package. Written in C, the program is very versatile and provides NPCs, warps and modifications. The project is jointly managed by a group of volunteers located around the world as well as a tremendous community providing QA and support. Hercules is a continuation of the original Athena project.
Describe the bug
with ./configure --enable-manager=no --enable-sanitize=full --enable-epoll
Jobchanging -> @reloadpcdb and vice versa crashes server
To Reproduce
Steps to reproduce the behavior:
Create character
Select newly created character
Enter command @job 4062
Enter command @reloadpcdb
See Error
Expected behavior
Able to jobchange and @reloadpcdb (vice versa) without server crashing
System specs (please complete the following information):
OS: Centos 8 x64
Hercules Version v2020.07.26
Mode: Renewal
Packet version: 20180418
Client type: RE
asan out
=================================================================
==3364884==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200002cf50 at pc 0x000000c9cb04 bp 0x7ffc66e53650 sp 0x7ffc66e53640
READ of size 4 at 0x61200002cf50 thread T0
#0 0xc9cb03 in pc_maxbaselv /home/kei/Hercules/src/map/pc.c:7319
#1 0xca6335 in pc_jobchange /home/kei/Hercules/src/map/pc.c:9200
#2 0xca6335 in pc_jobchange /home/kei/Hercules/src/map/pc.c:9107
#3 0x4f6f9f in atcommand_jobchange /home/kei/Hercules/src/map/atcommand.c:1028
#4 0x5114ca in atcommand_exec /home/kei/Hercules/src/map/atcommand.c:10697
#5 0xcb7a31 in pc_process_chat_message /home/kei/Hercules/src/map/pc.c:12564
#6 0x7d7319 in clif_process_chat_message /home/kei/Hercules/src/map/clif.c:10475
#7 0x77edf3 in clif_parse_GlobalMessage /home/kei/Hercules/src/map/clif.c:11593
#8 0x75538c in clif_parse /home/kei/Hercules/src/map/clif.c:24314
#9 0x1372784 in do_sockets /home/kei/Hercules/src/common/socket.c:1073
#10 0x41abd1 in main /home/kei/Hercules/src/common/core.c:539
#11 0x7f7b118f56a2 in __libc_start_main (/lib64/libc.so.6+0x236a2)
#12 0x41c09d in _start (/home/kei/Hercules/map-server+0x41c09d)
0x61200002cf50 is located 144 bytes inside of 280-byte region [0x61200002cec0,0x61200002cfd8)
freed by thread T0 here:
#0 0x7f7b142b47b0 in __interceptor_free (/lib64/libasan.so.5+0xef7b0)
#1 0xc2aed7 in pc_clear_exp_groups /home/kei/Hercules/src/map/pc.c:12711
#2 0xc6383e in pc_readdb /home/kei/Hercules/src/map/pc.c:11940
#3 0x450331 in atcommand_reloadpcdb /home/kei/Hercules/src/map/atcommand.c:3866
#4 0x5114ca in atcommand_exec /home/kei/Hercules/src/map/atcommand.c:10697
#5 0xcb7a31 in pc_process_chat_message /home/kei/Hercules/src/map/pc.c:12564
#6 0x7d7319 in clif_process_chat_message /home/kei/Hercules/src/map/clif.c:10475
#7 0x77edf3 in clif_parse_GlobalMessage /home/kei/Hercules/src/map/clif.c:11593
#8 0x75538c in clif_parse /home/kei/Hercules/src/map/clif.c:24314
#9 0x1372784 in do_sockets /home/kei/Hercules/src/common/socket.c:1073
#10 0x41abd1 in main /home/kei/Hercules/src/common/core.c:539
#11 0x7f7b118f56a2 in __libc_start_main (/lib64/libc.so.6+0x236a2)
previously allocated by thread T0 here:
#0 0x7f7b142b4fb8 in __interceptor_realloc (/lib64/libasan.so.5+0xeffb8)
#1 0x135f45e in aRealloc_ /home/kei/Hercules/src/common/memmgr.c:139
#2 0xc2cfb8 in pc_read_exp_db_sub_class /home/kei/Hercules/src/map/pc.c:11859
#3 0xcb71d4 in pc_read_exp_db_sub /home/kei/Hercules/src/map/pc.c:11878
#4 0xc23dbe in pc_read_exp_db /home/kei/Hercules/src/map/pc.c:11902
#5 0xc6387c in pc_readdb /home/kei/Hercules/src/map/pc.c:11941
#6 0xcce6a6 in do_init_pc /home/kei/Hercules/src/map/pc.c:12793
#7 0xcce6a6 in do_init_pc /home/kei/Hercules/src/map/pc.c:12784
#8 0xabaaeb in do_init /home/kei/Hercules/src/map/map.c:6777
#9 0x41aac7 in main /home/kei/Hercules/src/common/core.c:534
#10 0x7f7b118f56a2 in __libc_start_main (/lib64/libc.so.6+0x236a2)
SUMMARY: AddressSanitizer: heap-use-after-free /home/kei/Hercules/src/map/pc.c:7319 in pc_maxbaselv
Shadow bytes around the buggy address:
0x0c247fffd990: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c247fffd9a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fffd9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fffd9c0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c247fffd9d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fffd9e0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c247fffd9f0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c247fffda00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fffda10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fffda20: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c247fffda30: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3364884==ABORTING
Describe the bug with
./configure --enable-manager=no --enable-sanitize=full --enable-epoll
Jobchanging -> @reloadpcdb and vice versa crashes serverTo Reproduce Steps to reproduce the behavior:
@job 4062
@reloadpcdb
Expected behavior Able to jobchange and
@reloadpcdb
(vice versa) without server crashingSystem specs (please complete the following information):
asan out