Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crash in janus_http.c due to "Unsupported method" #2118

Closed
yin-zhang opened this issue Apr 29, 2020 · 5 comments
Closed

crash in janus_http.c due to "Unsupported method" #2118

yin-zhang opened this issue Apr 29, 2020 · 5 comments
Labels
bug

Comments

@yin-zhang
Copy link

yin-zhang commented Apr 29, 2020
edited by lminiero

I found a deterministic crash in janus_http.c. I'm able to reproduce the crash on both the master branch and release 0.9.3. To reproduce the crash yourself, just do the following:

(1) start janus (with http server running at default port 8088)
(2) telnet <your_janus_server> 8088
(3) type line "a b c" followed by an empty line, which creates an illegal HTTP request with an unsupported method "a"

Janus crashes immediately after returning:

{  "janus": "error",
   "error": {
      "code": 450,
      "reason": "Unsupported method a"
   }
}

It also logs a line that looks like:

[Wed Apr 29 16:33:54 2020] [(null)] Returning error 450 (Unsupported method a)

The coredump is not giving anything particularly useful. It just says something like:

"thread #1, stop reason = signal SIGSTOP."

But I was able to track down the exact location of the crash by adding tons of printf. It is inside janus_http.c: janus_http_request_completed(...), on the line that states:

    janus_refcount_decrease(&request->ref);

I'm don't yet know the janus code well enough to propose a fix. But you guys should be able to fix it very quickly, as it's deterministic to reproduce.

-- Yin
@lminiero
Copy link
Member

Edited your post to put log and code snippets in code blocks. I managed to replicate the issue, and using libasan it mentions a heap-use-after-free:

==4037==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000032090 at pc 0x7f2972af25c7 bp 0x7f29722dab60 sp 0x7f29722dab50
READ of size 8 at 0x604000032090 thread T40 (MHD-single)
    #0 0x7f2972af25c6 in janus_http_request_completed transports/janus_http.c:1827
    #1 0x7f29739ab6f6  (/lib64/libmicrohttpd.so.12+0x86f6)
    #2 0x7f29739ad54f  (/lib64/libmicrohttpd.so.12+0xa54f)
    #3 0x7f29739b213f  (/lib64/libmicrohttpd.so.12+0xf13f)
    #4 0x7f29739b318e  (/lib64/libmicrohttpd.so.12+0x1018e)
    #5 0x7f298b7934e1 in start_thread (/lib64/libpthread.so.0+0x94e1)
    #6 0x7f298b6c26a2 in clone (/lib64/libc.so.6+0x1016a2)

0x604000032090 is located 0 bytes inside of 48-byte region [0x604000032090,0x6040000320c0)
freed by thread T40 (MHD-single) here:
    #0 0x7f298c2d891f in __interceptor_free (/lib64/libasan.so.5+0x10d91f)
    #1 0x7f298be6049c in g_free (/lib64/libglib-2.0.so.0+0x5749c)
    #2 0x7f2972b1f565 in janus_http_handler transports/janus_http.c:1552
    #3 0x7f29739a99b0  (/lib64/libmicrohttpd.so.12+0x69b0)

This should give me enough to look into it, I'll update the issue when I know more,

@lminiero lminiero added the bug label Apr 29, 2020
@yin-zhang
Copy link
Author

Wow, you are quick!

@lminiero
Copy link
Member

Don't get used to it 😝

@lminiero
Copy link
Member

The small commit above fixes the issue for me. Please let me know if it's still an issue for you, and in case we'll reopen. Thanks for spotting the problem!

@yin-zhang
Copy link
Author

It works! Your responsiveness is amazing!

@lminiero lminiero mentioned this issue Apr 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lminiero @yin-zhang