svn-3391

Version:

1.6.x (fixed in 1.6.1)

Bug Link:

http://subversion.tigris.org/issues/show_bug.cgi?id=3391

Patch Link:

source code patch: http://svn.apache.org/viewvc?diff_format=h&view=revision&revision=877119

Symptom:

Crash. Exclusion of the deleted directory lead to ‘Segmentation fault’

How it is diagnosed:

reproduced

 

How to reproduce:

1. make a directory and check-in

                ‘svn mkdir foo’

                ‘svn ci foo –m “new dir”’

2. delete the checked-in directory

                ‘rm –rf foo’

3. exclude the deleted directory

                ‘svn up –set-depth exclude foo’

 

*Result: Segmentation Faults

Root Cause:

Brief:

NULL pointer dereference. the exclusion of the deleted directory introduces that passing NULL to ‘strcmp’ function.

Detail:

 

In ‘svn_wc_crop_tree’, NULL(entry->url) is passed to ‘strcmp’.

callstack:

#0  strcmp () from /lib64/libc.so.6

#1  svn_wc_crop_tree (target="foo", depth=svn_depth_exclude, ...)

              at subversion/libsvn_wc/crop.c:258

#2  svn_client__update_internal (path= "foo", depth=svn_depth_exclude, ...)

              at subversion/libsvn_client/update.c:169

#3  svn_client_update3 (depth=svn_depth_exclude, ...)

              at subversion/libsvn_client/update.c:346

#4  svn_cl__update (...) at subversion/svn/update-cmd.c:84

#5  main (argc, argv) at subversion/svn/main.c:2123

 

/* in ‘svn_wc_crop_tree’ function, entry->url is NULL, so strcmp with NULL can lead to the segmentation fault */

svn_error_t *

svn_wc_crop_tree(...)

{

  ...

  /* Crop the target itself if we are requested to. */

  if (depth == svn_depth_exclude)

        {

 

           …

          /* entry->url is NULL!!!*/

              switched

                = parent_entry && strcmp(entry->url,

                                     svn_path_url_add_component2

                                     (parent_entry->url, bname, pool));

 

              /* The server simply do not accept excluded link_path and thus

                 switched path can not be excluede. Just completely prohibit this

                 situation. */

              if (switched)

                return svn_error_createf

                  (SVN_ERR_UNSUPPORTED_FEATURE, NULL,

               _("Cannot crop '%s': it is a switched path"),

               svn_path_local_style(full_path, pool));

  ...

}

 

The patch:

 

/* just skip if entry->url is NULL */

--- subversion/trunk/subversion/libsvn_wc/crop.c   2009/04/07 04:35:58              877118

+++ subversion/trunk/subversion/libsvn_wc/crop.c 2009/04/07 05:54:47              877119

@@ -255,20 +255,23 @@ svn_wc_crop_tree(svn_wc_adm_access_t *an

               if (err)

             svn_error_clear(err);

 

+              if (entry->url)

+                {

               switched

                 = parent_entry && strcmp(entry->url,

                                          svn_path_url_add_component2

                                      (parent_entry->url, bname, pool));

 

               /* The server simply do not accept excluded link_path and thus

-                 switched path can not be excluede. Just completely prohibit this

-                 situation. */

+                     switched path cannot be excluded. Just completely prohibit

+                     this situation. */

               if (switched)

                 return svn_error_createf

               (SVN_ERR_UNSUPPORTED_FEATURE, NULL,

                _("Cannot crop '%s': it is a switched path"),

                svn_path_local_style(full_path, pool));

             }

+            }

 

           /* If the target entry is just added without history, it does not exist

              in the repos (in which case we won't exclude it). */

Failure symptom category

crash

Is there any log message?

Yes, but simply ‘Segmentation fault’ printed by OS.

 

How can we automatically insert the log message?

SIGSEGV handler.