cmd_ai_switch() and cmd_ai_clear() mutated session fields (provider_name, provider, model, api_key, history) on the main thread without coordination, while _ai_request_thread() read the same fields concurrently in the worker thread. This caused use-after-free when: - g_free(session->model) was called between worker's read and g_strdup() - ai_provider_unref(session->provider) freed the provider struct while worker accessed session->provider->api_url - ai_session_clear_history() freed the history list while worker walked it Fix: 1. Add pthread_mutex_t lock to AISession struct to protect all session fields from concurrent access. 2. Introduce ai_session_switch() public API that atomically switches provider, model, and API key under the session lock. This encapsulates all session mutations within ai_client.c so cmd_funcs.c never touches session fields directly. 3. Have _ai_request_thread() snapshot all session state under the session lock before making requests, using local copies for the duration of the curl request. 4. Add ai_provider_ref()/ai_provider_unref() around _ai_generic_request_thread() to prevent provider UAF during model-fetch requests. 5. Protect ai_session_add_message(), ai_session_clear_history(), and ai_session_set_model() with the session lock. No pthread.h needed in cmd_funcs.c — all locking is encapsulated within ai_client.c via the public API. No deadlock risk from nested locks. Files changed: - src/ai/ai_client.h: Add lock field, ai_session_switch() declaration - src/ai/ai_client.c: Mutex init/destroy, session mutation protection, worker thread snapshot, provider ref management - src/command/cmd_funcs.c: Use ai_session_switch() API, remove pthread.h
CProof
CProof is a console based XMPP chat client based on Profanity.
See the Quick Start Guide for information on installing and using CProof.
Project
CProof enables you to communicate with privacy, freedom and comfort. Our open-source chat application delivers secure, end-to-end encrypted messaging (OTR, PGP, OMEMO, OX) built on the trusted XMPP protocol. With a decentralized design, you can connect directly or even host your own server, keeping your data in your hands. Whether you're chatting with friends or collaborating securely, CProof makes private communication simple, reliable, and truly yours.
Installation
Check our installation guide for detailed instructions.
How to contribute
See our Helping Out page for a concise summary of ways to help us.
Review the Contributing Guide and Code Overview pages for advanced technical details.
Getting help
Prior to asking questions, check our User Guide, then check out the FAQ.
If you are still having a problem then search the issue tracker.
As a last resort, feel free to write us on support@jabber.tech or create a new issue depending on what your problem is.
Links
Website
Feel free to visit our website: jabber.space.
You may also check the repository if you like, available on git.jabber.space/devs/profanity.
Plugins
Plugins repository: https://git.jabber.space/devs/cproof-plugins
