Crash with jabber protocol when joining room

[anonymous]

bitlbee 3.2 through current devel seems to crash when I join a group chat. I have pinpointed the exact line where it crashes, but do not understand the code base enough to get why.

How I reproduce: Join server successfully (able to talk to other people), then:

chat add jabber room@… #room

This doesn't crash anything. As soon as I join the room, however, bitlbee crashes.

Here are my account settings:

<@super> acc jabber set
<@root> activity_timeout = `600'
<@root> auto_connect = `true'
<@root> auto_reconnect = `true'
<@root> away is empty
<@root> display_name is empty
<@root> nick_format is empty
<@root> nick_source = `handle'
<@root> oauth = `false'
<@root> password = `********' (hidden)
<@root> port = `5222'
<@root> priority = `0'
<@root> proxy = `<local>;<auto>'
<@root> resource = `BitlBee'
<@root> resource_select = `activity'
<@root> server = `example.org'
<@root> ssl = `off'
<@root> status is empty
<@root> tag = `jabber'
<@root> tls = `true'
<@root> tls_verify = `off'
<@root> user_agent = `BitlBee'
<@root> username = `super@example.org'
<@root> xmlconsole = `false'

Here is the backtrace:

(gdb) bt
#0  __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:33
#1  0x000000000043aebe in jabber_chat_pkt_message (ic=0x14c5b60, bud=0x14f6f40, node=0x14f70b0) at conference.c:361
#2  0x00000000004423a3 in jabber_pkt_message (node=0x14f70b0, data=0x14c5b60) at message.c:65
#3  0x000000000043499b in xt_handle (xt=0x14c1ff0, node=0x14f70b0, depth=0) at xmltree.c:195
#4  0x00000000004347fd in xt_handle (xt=0x14c1ff0, node=0x1500d80, depth=1) at xmltree.c:174
#5  0x00000000004347c1 in xt_handle (xt=0x14c1ff0, node=0x0, depth=1) at xmltree.c:169
#6  0x000000000043b648 in jabber_read_callback (data=0x14c5b60, fd=15, cond=B_EV_IO_READ) at io.c:175
#7  0x0000000000429ffd in gaim_io_invoke (source=0x14ebab0, condition=G_IO_IN, data=0x14e8490) at events_glib.c:86
#8  0x00007fe2152db355 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#9  0x00007fe2152db688 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#10 0x00007fe2152dba82 in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x0000000000429f6f in b_main_run () at events_glib.c:59
#12 0x0000000000427ec5 in main (argc=8, argv=0x7ffff48a3b08) at unix.c:170
(gdb)

I have noticed that bud->ext_jid is NULL when strchr() is being called.

This seems to happen whether OTR is enabled or not, whether debugging is enabled or not. I do not have access to ASAN on my compiler on my platform unfortunately.

Btw, thanks for bitlbee, it is amazingly useful software even when things like this arise.

[dx]

Okay talked about this stuff on irc.

The crash itself is indeed because bud->ext_jid is null, in particular when parsing an incoming <subject>, after having received a <presence> with the incorrect JID

The null dereference is fixed in ​4543b6b

The actual underlying issue is the server's fault (lets-chat). I just submitted a bug for them and wrote more details here: ​https://github.com/sdelements/lets-chat/issues/390

Once they fix that on their side, that crash fix shouldn't be needed.

Alternatively, to workaround this from bitlbee's side, set your channel nick to be the same as your username:

channel <#whatever> set nick <whatever>

or, for 3.4 or newer, to set the default nick for all new channels:

account jabber set display_name <whatever>