Question Crash Bug - Client app

I am at my wits end. Usually this stuff is a piece of cake, but not this one. Player clients log in and play. Some have unique scripts they use and sometimes crash. However, sometimes during that crash/reset of client It sends junk to the socket close. You get the normal player reset but then you get a junk reset that causes a double free. I have tried numerous fixes but I cannot seem to get it right.

Wonder if anyone can take a peek. 

SYSERR: Write to socket: Connection reset by peer
Apr 22 16:50:40 2022 :: Losing  CatPurr.
Apr 22 16:50:40 2022 :: Losing  X\X^U.
free(): double free detected in tcache 2  ==> Crash

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) back
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f2f55604537 in __GI_abort () at abort.c:79
#2  0x00007f2f5565d768 in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7f2f5576be2d "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007f2f55664a5a in malloc_printerr (
    str=str@entry=0x7f2f5576e170 "free(): double free detected in tcache 2") at malloc.c:5347
#4  0x00007f2f55666055 in _int_free (av=0x7f2f5579db80 <main_arena>, p=0x555e93cd5ac0, 
    have_lock=0) at malloc.c:4201
#5  0x0000555e91304b0a in free_char (ch=0x555e9549fab0) at db.c:4478
#6  0x0000555e912f9d2b in close_socket (d=d@entry=0x555e956acef0) at comm.c:2501
#7  0x0000555e912fd28b in game_loop (local_mother_desc=3) at comm.c:962
#8  0x0000555e912722a7 in init_game (local_port=<optimized out> at comm.c:576
#9  main (argc=3, argv=<optimized out> at comm.c:395

#5  0x0000555e91304b0a in free_char (ch=0x555e9549fab0) at db.c:4478
4478          free(ch->player.description);
(gdb) list
4473        if (ch->player.short_descr)
4474          free(ch->player.short_descr);
4475        if (ch->player.long_descr)
4476          free(ch->player.long_descr);
4477        if (ch->player.description)
4478          free(ch->player.description);
4479        for (i = 0; i < NUM_HIST; i++)
4480         if (GET_HISTORY(ch, i))
4481          free_history(ch, i);
4482        
(gdb) up
#6  0x0000555e912f9d2b in close_socket (d=d@entry=0x555e956acef0) at comm.c:2501
2501            free_char(d->character);
(gdb) list
2496          save_char(link_challenged);
2497          mudlog(NRM, MAX(ADMLVL_IMMORT, GET_INVIS_LEV(link_challenged)), TRUE, "Closing link to: %s.", GET_NAME(link_challenged));
2498        } else {
2499          mudlog(CMP, ADMLVL_IMMORT, TRUE, "Losing  %s.", GET_NAME(d->character) ? GET_NAME(d->character) : "<null>");
2500          if (d->character)
2501            free_char(d->character);
2502        }
2503      } else
2504        mudlog(CMP, ADMLVL_IMMORT, TRUE, "Losing descriptor without char.");
2505      
(gdb) info local
temp = <optimized out>
(gdb) down
#5  0x0000555e91304b0a in free_char (ch=0x555e9549fab0) at db.c:4478
4478          free(ch->player.description);
(gdb) info local
i = <optimized out>
a = <optimized out>
(gdb) 

(gdb) info local
pr_main_loop_ = 0x555e94e14530
pr_process_input_ = 0x555e94e18f10
pr_process_commands_ = 0x555e94e18ff0
pr_process_output_ = 0x555e94e19110
input_set = {__fds_bits = {2560, 0 <repeats 15 times>}}
output_set = {__fds_bits = {32512, 0 <repeats 15 times>}}
exc_set = {__fds_bits = {0 <repeats 16 times>}}
null_set = {__fds_bits = {0 <repeats 16 times>}}
last_time = {tv_sec = 1650660640, tv_usec = 905968}
opt_time = {tv_sec = 0, tv_usec = 100000}
process_time = {tv_sec = 0, tv_usec = 2124}
temp_time = {tv_sec = 0, tv_usec = 97876}
before_sleep = {tv_sec = 1650660640, tv_usec = 808092}
now = {tv_sec = 1650660640, tv_usec = 906235}
timeout = {tv_sec = 0, tv_usec = 0}
comm = "hold purple\000\000R\000R\000g\000 king\000partner, I'm ba\000\062\000\064", '\000' <repeats 467 times>
d = 0x555e956acef0
next_d = 0x555e94a2e8a0
missed_pulses = 0
maxdesc = <optimized out>
aliased = <optimized out>
(gdb) list
957         for (d = descriptor_list; d; d = next_d) {
958           next_d = d->next;
959           if (*(d->output) && FD_ISSET(d->descriptor, &output_set)) {
960             /* Output for this is ready */
961             if (process_output(d) < 0)
962               close_socket(d);
963             else
964               d->has_prompt = TRUE;
965           }
966         }
(gdb) 

Password was removed for characters privacty

(gdb) print *d->character
$1 = {pfilepos = -1786893760, nr = 21854, in_room = 2481026912, was_in_room = 21854, 
  motion_timer = 0, wait = 0, version = 0 '\000', player = {
    password = '\000' <repeats 100 times>, 
    passwd = "XXXXX", '\000' <repeats 87 times>, 
    name = 0x555e94024be0 "\320+n\223^U", short_descr = 0x0, long_descr = 0x0, 
    description = 0x555e93cd5ad0 "\360\230;\225^U", title = 0x555e955c9700 "\320K\002\224^U", 
    sex = 1 '\001', chclass = 10 '\n', race = 0 '\000', level = 30 '\036', 
    admlevel = 0 '\000', time = {birth = 1598554047, logon = 1650660617, played = 1365054}, 
    weight = 8 '\b', height = 182 '\266', last_age = 0}, real_abils = {str = 16 '\020', 
    str_add = 0 '\000', intel = 18 '\022', wis = 17 '\021', dex = 15 '\017', con = 15 '\017', 
    cha = 18 '\022', ess = 100 'd', intensity = 0 '\000', serenity = 0 '\000'}, aff_abils = {
    str = 16 '\020', str_add = 0 '\000', intel = 18 '\022', wis = 17 '\021', dex = 15 '\017', 
    con = 15 '\017', cha = 18 '\022', ess = 100 'd', intensity = 0 '\000', 
    serenity = 0 '\000'}, points = {mana = 485, max_mana = 429, hit = 332, max_hit = 341, 
    move = 139, max_move = 139, hit_regen = 0, mana_regen = 6, move_regen = 0, 
    add_gen_feats = 0 '\000', add_class_feats = 0 '\000', regen_factor = {100, 100, 100}, 
    armor = 100, money = {0, 54322, 0, 0}, gold = 0, bank_gold = 18300000, exp = 79999999, 
    hitroll = 0 '\000', damroll = 0 '\000', remort_count = 9, deaths = 27, 
    deaths_this_level = 21, reroll_count = 5, pc_steals = 0, xp_bonus = 0, align_bonus = 0, 
    oldcha = 18, oldstr = 16, oldstradd = 0, oldint = 18, oldwis = 15, oldcon = 13, 
    olddex = 15, oldclass = 10, oldhit_regen = 0, oldmana_regen = 6, oldmove_regen = 0, 
    oldremort_total = 8, exploss = 0, dt_day = -1, dt_room = 4294967295, dt_count = 0}, 
  char_specials = {fighting = 0x0, hunting = 0x0, position = 8 '\b', carry_weight = 0, 
    carry_items = 0 '\000', timer = 0, numplus = 0, succesful_hunt = false, saved = {
      alignment = 1000, idnum = 38000, act = {8390144, 0, 0, 0}, affected_by = {512, 0, 0, 
        0}, apply_saving_throw = {0, 0, 0, 0, 0}, kills = 0, monthly_kills = 0, vnum = 0}}, 
  player_specials = 0x555e95522a40, mob_specials = {memory = 0x0, attack_type = 0 '\000', 
    default_pos = 8 '\b', damnodice = 0 '\000', damsizedice = 0 '\000', mob_race_special = 0, 
    last_direction = 0 '\000', func = 0x0, mob_feats = "\000\000\000"}, affected = 0x0, 
  equipment = {0x0 <repeats 21 times>}, carrying = 0x0, desc = 0x0, script_id = 38000, 
  proto_script = 0x0, script = 0x0, memory = 0x0, next_in_room = 0x0, next = 0x555e957fbe50, 
  next_fighting = 0x0, followers = 0x0, master = 0x0, pref = 425, events = 0x0, 
  feats = '\000' <repeats 1000 times>, combat_feats = {{
      0 <repeats 18 times>} <repeats 17 times>}}
(gdb) print d->character->player.name
$2 = 0x555e94024be0 "\320+n\223^U"

I think this looks suspicious: I'd be interested to know whether d and next_d look like "real" descriptor-data when you print them out.

#7 0x0000555e912fd28b in game_loop (local_mother_desc=3) at comm.c:962
962 close_socket(d);
(gdb) print next_d
$5 = (struct descriptor_data *) 0x555e94a2e8a0
(gdb) print d
$6 = (struct descriptor_data *) 0x555e956acef0
(gdb) print *next_d
$7 = {descriptor = 14, host = "73.202.107.12", '\000' <repeats 27 times>, bad_pws = 0 '\000',
idle_tics = 0 '\000', connected = 0, desc_num = 160, login_time = 1650660524,
showstr_head = 0x0, showstr_vector = 0x0, showstr_count = 0, showstr_page = 0, str = 0x0,
backstr = 0x0, max_str = 0, mail_to = 0, has_prompt = 1,
inbuf = "\000ave\r\n\000eae hole\r\nwear soleae\r\n\000\nwear shimmering\r\n\000\ne\r\ne\r\nnw\r\n", '\000' <repeats 12226 times>,
last_input = "save\000soleae\000ole\000g\000l3\000at\000partner, I'm cl3", '\000' <repeats 471 times>,
small_outbuf = "\000\372E\001MANA\002\070\063\070\377\360\000 a scroll of recall.\r\nCatPurr disappears.\r\n\000 beautiful melody about, 'ghix'.\r\nPellinore, King of Listinoise suddenly seems to be moving slower.\r\n\000s vigor.\r\n\000LOCATION\002HITROLL\001MODIFIER\002\065\001"..., output = 0x555e94a31b1c "", history = 0x555e93fe7fa0, history_pos = 8, bufptr = 0,
bufspace = 1023, large_outbuf = 0x0, input = {head = 0x0, tail = 0x555e94a1a390},
character = 0x555e957fbe50, original = 0x0, snooping = 0x0, snoop_by = 0x0,
next = 0x555e957fcaf0, olc = 0x0, remort_class = 0, add_to_stat = {0, 0, 0, 0, 0, 0, 0, 0,
0, 0}, step = 0, option = 0, pProtocol = 0x555e93fe8ed0, events = 0x555e94699c60,
mail_vnum = 0}
(gdb) print *d
$8 = {descriptor = -1786884064,
host = "^U\000\000P+_\225^U\000\000 P~\225^U\000\000P+_\225^U", '\000' <repeats 14 times>,
bad_pws = 0 '\000', idle_tics = 0 '\000', connected = 10, desc_num = 163,
login_time = 1650660615, showstr_head = 0x0, showstr_vector = 0x0, showstr_count = 0,
showstr_page = 0, str = 0x0, backstr = 0x0, max_str = 0, mail_to = 0, has_prompt = 0,
inbuf = "\000old purple\r\n\000\000e\r\ns\r\ns\r\ns\r\ns\r\nw\r\nw\r\nw\r\nn\r\nbuy recall\r\ns\r\ne\r\ne\r\ne\r\nn\r\nn\r\nn\r\nn\r\ngold\r\nstand\r\nungroup\r\nfollow\r\ns\r\ngroup me\r\ns\r\ne\r\ne\r\nu\r\ngsay START SCORE\r\nscore\r\ngsay END SCORE\r\ngsay START EQUIP\r\nequip -a"...,
last_input = "hold purple\000\000R\000R\000g\000 king\000partner, I'm ba", '\000' <repeats 471 times>,
small_outbuf = "\r\nThat's not a menu choice!\r\n\r\nWelcome to JediMUD!\r\n0) Exit from JediMud.\r\n1) Enter the game.\r\n2) Enter description.\r\n3) Read the background story.\r\n4) Change password.\r\n5) Delete this character.\r\n6) "...,
output = 0x555e956b016c "\r\nThat's not a menu choice!\r\n\r\nWelcome to JediMUD!\r\n0) Exit from JediMud.\r\n1) Enter the game.\r\n2) Enter description.\r\n3) Read the background story.\r\n4) Change password.\r\n5) Delete this character.\r\n6) "..., history = 0x555e954a8f70,
history_pos = 6, bufptr = 286, bufspace = 737, large_outbuf = 0x0, input = {head = 0x0,
tail = 0x555e94ee8bf0}, character = 0x555e9549fab0, original = 0x0, snooping = 0x0,
snoop_by = 0x0, next = 0x555e94a2e8a0, olc = 0x0, remort_class = 0, add_to_stat = {0, 0, 0,
0, 0, 0, 0, 0, 0, 0}, step = 0, option = 0, pProtocol = 0x555e95772fd0,
events = 0x555e93696ae0, mail_vnum = 14144}

Obviously, there's something wrong with *d - I'd look for double free()s of the descriptor, not the character.

I had already double checked that. I only have this issue when someones client craps out and hits the game with garbage. I just double and triple checked the free'ing of the descriptor and I do not have a double free anywhere being called. hence why I am stumped as to how to prevent a client that has a poor script blowing up and crashing the game.

I fixed it by Nulling out several local variables that way no junk introduced itself to closing out and when you connect. So far i have been having 20-30 day uptimes again.