CRASH: [ssr-redir] In redir.c when auth_chain_b protocol is used

[wsycqyz]

Please answer these questions before submitting your issue. Thanks!

What version of shadowsocks-libev are you using?

Commit: 1797741

What operating system are you using?

Ubuntu 16.04.02LTS

What did you do?

Run ./ss-redir -c /etc/shadowsocks.json and
Use iptable to redirect traffic to ss-redir

What did you expect to see?

No crash

What did you see instead?

ss-redir crash. Following is gdb output:
root@ubuntu:/shadowsocksr-libev/src# gdb ./ss-redir
GNU gdb (Ubuntu 7.11.1-0ubuntu116.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ss-redir...done.
(gdb) set args -c /etc/shadowsocks.json -v
(gdb) run
Starting program: /root/shadowsocksr-libev/src/ss-redir -c /etc/shadowsocks.json -v
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
2017-08-01 13:52:15 INFO: protocol auth_chain_b
2017-08-01 13:52:15 INFO: protocol_param
2017-08-01 13:52:15 INFO: method none
2017-08-01 13:52:15 INFO: obfs tls1.2_ticket_auth
2017-08-01 13:52:15 INFO: obfs_param
2017-08-01 13:52:15 INFO: initializing ciphers... none
2017-08-01 13:52:15 INFO: tcp port reuse enabled
2017-08-01 13:52:15 INFO: listening at 0.0.0.0:1080
2017-08-01 13:52:15 INFO: running from root user
2017-08-01 13:52:23 INFO: connect to 23.239.1.72:80
2017-08-01 13:52:23 INFO: redir to 23.239.1.72:80, len=132, recv=132
*** Error in `/root/shadowsocksr-libev/src/ss-redir': free(): invalid next size (normal): 0x00000000006810b0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff6eaa7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7ffff6eb337a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff6eb753c]
/root/shadowsocksr-libev/src/ss-redir[0x408f01]
/root/shadowsocksr-libev/src/ss-redir[0x412b4d]
/root/shadowsocksr-libev/src/ss-redir[0x426ee4]
/root/shadowsocksr-libev/src/ss-redir[0x427dd3]
/root/shadowsocksr-libev/src/ss-redir[0x404645]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff6e53830]
/root/shadowsocksr-libev/src/ss-redir[0x405299]
======= Memory map: ========
00400000-00473000 r-xp 00000000 08:01 6037137 /root/shadowsocksr-libev/src/ss-redir
00673000-00674000 r--p 00073000 08:01 6037137 /root/shadowsocksr-libev/src/ss-redir
00674000-00675000 rw-p 00074000 08:01 6037137 /root/shadowsocksr-libev/src/ss-redir
00675000-0069b000 rw-p 00000000 00:00 0 [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
7ffff6a19000-7ffff6a2f000 r-xp 00000000 08:01 3801609 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6a2f000-7ffff6c2e000 ---p 00016000 08:01 3801609 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6c2e000-7ffff6c2f000 rw-p 00015000 08:01 3801609 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6c2f000-7ffff6c32000 r-xp 00000000 08:01 3805618 /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff6c32000-7ffff6e31000 ---p 00003000 08:01 3805618 /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff6e31000-7ffff6e32000 r--p 00002000 08:01 3805618 /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff6e32000-7ffff6e33000 rw-p 00003000 08:01 3805618 /lib/x86_64-linux-gnu/libdl-2.23.so
7ffff6e33000-7ffff6ff3000 r-xp 00000000 08:01 3805629 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff6ff3000-7ffff71f3000 ---p 001c0000 08:01 3805629 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff71f3000-7ffff71f7000 r--p 001c0000 08:01 3805629 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff71f7000-7ffff71f9000 rw-p 001c4000 08:01 3805629 /lib/x86_64-linux-gnu/libc-2.23.so
7ffff71f9000-7ffff71fd000 rw-p 00000000 00:00 0
7ffff71fd000-7ffff7215000 r-xp 00000000 08:01 3805612 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7215000-7ffff7414000 ---p 00018000 08:01 3805612 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7414000-7ffff7415000 r--p 00017000 08:01 3805612 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7415000-7ffff7416000 rw-p 00018000 08:01 3805612 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ffff7416000-7ffff741a000 rw-p 00000000 00:00 0
7ffff741a000-7ffff7488000 r-xp 00000000 08:01 3801663 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7ffff7488000-7ffff7688000 ---p 0006e000 08:01 3801663 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7ffff7688000-7ffff7689000 r--p 0006e000 08:01 3801663 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7ffff7689000-7ffff768a000 rw-p 0006f000 08:01 3801663 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
7ffff768a000-7ffff7792000 r-xp 00000000 08:01 3805624 /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7792000-7ffff7991000 ---p 00108000 08:01 3805624 /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7991000-7ffff7992000 r--p 00107000 08:01 3805624 /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7992000-7ffff7993000 rw-p 00108000 08:01 3805624 /lib/x86_64-linux-gnu/libm-2.23.so
7ffff7993000-7ffff7bad000 r-xp 00000000 08:01 3801562 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7ffff7bad000-7ffff7dac000 ---p 0021a000 08:01 3801562 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7ffff7dac000-7ffff7dc8000 r--p 00219000 08:01 3801562 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7ffff7dc8000-7ffff7dd4000 rw-p 00235000 08:01 3801562 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
7ffff7dd4000-7ffff7dd7000 rw-p 00000000 00:00 0
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 3805607 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fe8000-7ffff7fed000 rw-p 00000000 00:00 0
7ffff7ff5000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 3805607 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 3805607 /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff6e68428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff6e68428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff6e6a02a in __GI_abort () at abort.c:89
#2 0x00007ffff6eaa7ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff6fc3e98 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff6eb337a in malloc_printerr (ar_ptr=, ptr=, str=0x7ffff6fc3ff0 "free(): invalid next size (normal)", action=3) at malloc.c:5006
#4 _int_free (av=, p=, have_lock=0) at malloc.c:3867
#5 0x00007ffff6eb753c in __GI___libc_free (mem=) at malloc.c:2968
#6 0x0000000000408f01 in bfree (ptr=ptr@entry=0x7fffffffdff0) at encrypt.c:279
#7 0x0000000000412b4d in remote_send_cb (loop=0x6791a0 <default_loop_struct>, w=0x67c2c0, revents=) at redir.c:567
#8 0x0000000000426ee4 in ev_invoke_pending (loop=0x6791a0 <default_loop_struct>) at ev.c:3288
#9 0x0000000000427dd3 in ev_run (loop=0x6791a0 <default_loop_struct>, flags=0) at ev.c:3688
#10 0x0000000000404645 in main (argc=, argv=) at redir.c:1469
(gdb)

What is your config in detail (with all sensitive info masked)?

{
"server":"xxx",
"server_port":"xxx",
"local_address":"0.0.0.0",
"local_port":1080,
"password":"xxx",
"timeout":120,
"method":"none",
"protocol":"auth_chain_b",
"protocol_param":"",
"obfs":"tls1.2_ticket_auth",
"obfs_param":"",
"fast_open":false
}