Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

problems with invalid commands #3748

Closed
DorpsGek opened this issue Apr 10, 2010 · 6 comments
Closed

problems with invalid commands #3748

DorpsGek opened this issue Apr 10, 2010 · 6 comments
Labels
flyspray This issue is imported from FlySpray (https://bugs.openttd.org/)

Comments

@DorpsGek
Copy link
Member

SmatZ opened the ticket and wrote:

Attached file sends random commands when connected as client to network server. Server crashes in few seconds.

There is a chance there will be more recent version of the patch:
http://devs.openttd.org/~smatz/private/problem.diff

Known broken commands:
CmdSend*ToDepot
CmdMassStartStopVehicle
generally commands that need to build vehicle list

Example backtrace:
# 3 0x00000000005cdb8d in Pool<Vehicle, unsigned short, 512ul, 64000ul, false, true>::Get (this=0xe77520, index=1958905846)
at /home/smatz/openttd/rev/src/ai/api/../../core/pool_type.hpp:53
_PRETTY_FUNCTION_ = "Titem* Pool<Titem, Tindex, Tgrowth_step, Tmax_size, Tcache, Tzero>::Get(size_t) [with Titem = Vehicle, Tindex = short unsigned int, long unsigned int Tgrowth_step = 512ul, long unsigned int Tmax_size "...
# 4 0x00000000005cdb39 in Pool<Vehicle, unsigned short, 512ul, 64000ul, false, true>::PoolItem<&_vehicle_pool>::Get (index=1958905846)
at /home/smatz/openttd/rev/src/ai/api/../../core/pool_type.hpp:183
No locals.
# 5 0x0000000000846f6f in GenerateVehicleSortList (list=0x7fffffffd700, type=VEH_AIRCRAFT, owner=OWNER_BEGIN, index=1958905846, window_type=256)
at /home/smatz/openttd/rev/src/vehiclelist.cpp:104
v = 0x86793f
# 6 0x000000000083574c in SendAllVehiclesToDepot (type=VEH_AIRCRAFT, flags=DC_NONE, service=true, owner=OWNER_BEGIN, vlw_flag=256, id=1958905846)
at /home/smatz/openttd/rev/src/vehicle_cmd.cpp:593
list = {data = 0x0, items = 0, capacity = 0}
had_success = 255
# 7 0x00000000005de3b2 in CmdSendAircraftToHangar (tile=56363, flags=DC_NONE, p1=1958905846, p2=3490025887, text=0x10f4518 "")
at /home/smatz/openttd/rev/src/aircraft_cmd.cpp:446
v = 0xe75330

NOTE: unprivate #3747 when this is done :) (ask Rubidium as it needs some DB messing)

Attachments

Reported version: trunk
Operating system: All

This issue was imported from FlySpray: https://bugs.openttd.org/task/3748
@DorpsGek
Copy link
Member Author

SmatZ wrote:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000750b0f in RailBuildCost (railtype=3684920001) at /home/smatz/openttd/rev/src/rail.h:269
269 return (price[PR_BUILD_RAIL] * GetRailTypeInfo(railtype)->cost_multiplier) >> 3;
(gdb) bt full
# 0 0x0000000000750b0f in RailBuildCost (railtype=3684920001) at /home/smatz/openttd/rev/src/rail.h:269
_PRETTY_FUNCTION = "Money RailBuildCost(RailType)"
# 1 0x00000000007526d5 in CmdBuildSingleRail (tile=30124, flags=10, p1=3684920001, p2=2734781537, text=0x2aaab80d9a18 "")
at /home/smatz/openttd/rev/src/rail_cmd.cpp:488
railtype = 3684920001
track = 2734781537
trackbit = TRACK_BIT_Y
cost = {expense_type = EXPENSES_CONSTRUCTION, cost = {m_value = 2029}, message = 65535, success = true}
tileh = SLOPE_FLAT

This one should be easy to fix
The question is, when someone notices this being commited, what is the chance he will create a 1.0.0 server-killer? (supposing 1.0.0 is vulnerable too)

This comment was imported from FlySpray: https://bugs.openttd.org/task/3748#comment7826

@DorpsGek
Copy link
Member Author

SmatZ wrote:

# 3 0x00000000005c0f5d in Pool<Engine, unsigned short, 64ul, 64000ul, false, true>::Get (this=0xe24540, index=2194473022)
at /home/smatz/openttd/rev/src/ai/api/../../core/pool_type.hpp:53
_PRETTY_FUNCTION_ = "Titem* Pool<Titem, Tindex, Tgrowth_step, Tmax_size, Tcache, Tzero>::Get(size_t) [with Titem = Engine, Tindex = short unsigned int, long unsigned int Tgrowth_step = 64ul, long unsigned int Tmax_size = "...
# 4 0x00000000005c0edc in Pool<Engine, unsigned short, 64ul, 64000ul, false, true>::PoolItem<&_engine_pool>::Get (index=2194473022)
at /home/smatz/openttd/rev/src/ai/api/../../core/pool_type.hpp:183
No locals.
# 5 0x0000000000817eb9 in CmdBuildRailVehicle (tile=7332, flags=DC_NONE, p1=2194473022, p2=4147400649, text=0x2aaab8022248 "")
at /home/smatz/openttd/rev/src/train_cmd.cpp:694
e = 0x0
rvi = 0xe1f8a0
value = {expense_type = 4294956864, cost = {m_value = 7298323}, message = 55200, success = 255}
num_vehicles = 32767
unit_num = 86

another one...

This comment was imported from FlySpray: https://bugs.openttd.org/task/3748#comment7827

@DorpsGek
Copy link
Member Author

SmatZ wrote:

Program received signal SIGSEGV, Segmentation fault.
0x00000000007b8fda in AddTrackToSignalBuffer (tile=55462, track=2970097443, owner=OWNER_BEGIN) at /home/smatz/openttd/rev/src/signal.cpp:593
593 globset.Add(tile, search_dir_1[track]);
(gdb) bt full
# 0 0x00000000007b8fda in AddTrackToSignalBuffer (tile=55462, track=2970097443, owner=OWNER_BEGIN) at /home/smatz/openttd/rev/src/signal.cpp:593
_search_dir_1 = {DIAGDIR_BEGIN, DIAGDIR_SE, DIAGDIR_BEGIN, DIAGDIR_SE, DIAGDIR_SW, DIAGDIR_SE}
_search_dir_2 = {DIAGDIR_SW, DIAGDIR_NW, DIAGDIR_NW, DIAGDIR_SW, DIAGDIR_NW, DIAGDIR_BEGIN}
_PRETTY_FUNCTION = "void AddTrackToSignalBuffer(TileIndex, Track, Owner)"
# 1 0x0000000000752e25 in CmdRemoveSingleRail (tile=55462, flags=3, p1=2469135541, p2=2970097443, text=0x1435e98 "")
at /home/smatz/openttd/rev/src/rail_cmd.cpp:608
track = 2970097443
crossing = false
trackbit = TRACK_BIT_LOWER
owner = OWNER_BEGIN
_PRETTY_FUNCTION = "CommandCost CmdRemoveSingleRail(TileIndex, DoCommandFlag, uint32, uint32, const char*)"
cost = {expense_type = EXPENSES_CONSTRUCTION, cost = {m_value = -156}, message = 65535, success = true}
v = 0x0

another interesting one

This comment was imported from FlySpray: https://bugs.openttd.org/task/3748#comment7828

@DorpsGek
Copy link
Member Author

SmatZ wrote:

# 2 0x00000000006fea90 in error (s=0x9e1890 "NOT_REACHED triggered at line %i of %s") at /home/smatz/openttd/rev/src/openttd.cpp:130
va = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fffffffd5f0, reg_save_area = 0x7fffffffd530}}
buf = "NOT_REACHED triggered at line 101 of /home/smatz/openttd/rev/src/vehicle_gui.h", '\000' <repeats 42 times>"\230, \323\377\377\377\177\000\000\260\323\377\377\377\177\000\000P,h\000\000\000\000\000:,h\000}\371\005\000\336\000\000\000~\001\000\000\360\323\377\377\377\177\000\000\036\061h\000\000\000\000\000\216\000\000\000\000\000\000\000\257{\003\000}\371\005\000\360\323\377\377\377\177\000\000\062\002\000\000\240", '\000' <repeats 11 times>"\240, \325\377\377\377\177\000\000@\324\377\377\377\177\000\000\310D\000\000\244\241\377\377.D\000\000\341\255\377\377\360p\023\001\000\000\000\000\060\324\377\377\377\177\000\000\341\255\377\377\000\000\000\000\030\000\000\000\000\000\000\000\020\337\377\377\377\177\000\000p\324\377\377\377\177"...
# 3 0x0000000000701f77 in GetWindowClassForVehicleType (vt=VEH_EFFECT) at /home/smatz/openttd/rev/src/vehicle_gui.h:101
No locals.
# 4 0x000000000070473c in DecloneOrder (dst=0x11f35f0, flags=DC_EXEC) at /home/smatz/openttd/rev/src/order_cmd.cpp:729
No locals.
# 5 0x0000000000704831 in CmdDeleteOrder (tile=391923, flags=DC_EXEC, p1=2989424670, p2=869407495, text=0x1d3f048 "")
at /home/smatz/openttd/rev/src/order_cmd.cpp:757
ret = {expense_type = INVALID_EXPENSES, cost = {m_value = 0}, message = 65535, success = true}
_PRETTY_FUNCTION_ = "CommandCost CmdDeleteOrder(TileIndex, DoCommandFlag, uint32, uint32, const char*)"
veh_id = 30
sel_ord = 7 '\a'
order = 0x7fffffffd788
v = 0x11f35f0

from #3747

This comment was imported from FlySpray: https://bugs.openttd.org/task/3748#comment7835

@DorpsGek
Copy link
Member Author

SmatZ wrote:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000750d8a in HasPowerOnRail (enginetype=3541769954, tiletype=RAILTYPE_MAGLEV) at /home/smatz/openttd/rev/src/rail.h:258
258 return HasBit(GetRailTypeInfo(enginetype)->powered_railtypes, tiletype);
(gdb) bt full
# 0 0x0000000000750d8a in HasPowerOnRail (enginetype=3541769954, tiletype=RAILTYPE_MAGLEV) at /home/smatz/openttd/rev/src/rail.h:258
No locals.
# 1 0x0000000000750fd8 in RailConvertCost (from=RAILTYPE_MAGLEV, to=3541769954) at /home/smatz/openttd/rev/src/rail.h:309
No locals.
# 2 0x0000000000755955 in CmdConvertRail (tile=95556, flags=DC_NONE, p1=73201, p2=3541769954, text=0x112ab18 " \310\350D?m\270I?L\207\253?\230\265")
at /home/smatz/openttd/rev/src/rail_cmd.cpp:1481
tile = 77130
tt = MP_RAILWAY
type = RAILTYPE_MAGLEV
ret = {expense_type = INVALID_EXPENSES, cost = {m_value = 0}, message = 65535, success = true}
vehicles_affected = {data = 0x0, items = 0, capacity = 0}
y = 75
x = 330
ey = 93
sy = 71
totype = 3541769954
ex = 497
sx = 324
cost = {expense_type = EXPENSES_CONSTRUCTION, cost = {m_value = 0}, message = 65535, success = true}
error = {expense_type = INVALID_EXPENSES, cost = {m_value = 0}, message = 2811, success = false}

This comment was imported from FlySpray: https://bugs.openttd.org/task/3748#comment7836

@DorpsGek
Copy link
Member Author

frosch closed the ticket.

Reason for closing: Fixed

in multiple revisions

This comment was imported from FlySpray: https://bugs.openttd.org/task/3748

@DorpsGek DorpsGek added Core flyspray This issue is imported from FlySpray (https://bugs.openttd.org/) labels Apr 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
flyspray This issue is imported from FlySpray (https://bugs.openttd.org/)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DorpsGek