Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KERNEL: Crash at HTTP fast buffer grow #848

Closed
winlinvip opened this issue Apr 18, 2017 · 2 comments
Closed

KERNEL: Crash at HTTP fast buffer grow #848

winlinvip opened this issue Apr 18, 2017 · 2 comments
Assignees
Labels
Bug It might be a bug. TransByAI Translated by AI/GPT.
Milestone

Comments

@winlinvip
Copy link
Member

#4  0x000000000045d314 in SrsFastBuffer::grow (this=0x24854e0, reader=0x7f9686104bd0, required_size=131073) at src/protocol/srs_protocol_buffer.cpp:165
#5  0x00000000004e97b0 in SrsHttpParser::parse_message_imp (this=0x23faac0, skt=0x7f9686104bd0) at src/app/srs_app_http_conn.cpp:984
#6  0x00000000004e937c in SrsHttpParser::parse_message (this=0x23faac0, skt=0x7f9686104bd0, conn=0x22813a0, ppmsg=0x7f9686104c30)
    at src/app/srs_app_http_conn.cpp:927
#7  0x00000000004eae5e in SrsHttpConn::do_cycle (this=0x22813a0) at src/app/srs_app_http_conn.cpp:1255
#8  0x000000000047958a in SrsConnection::cycle (this=0x22813a0) at src/app/srs_app_conn.cpp:89
#9  0x00000000004acdc5 in SrsOneCycleThread::cycle (this=0x24856d0) at src/app/srs_app_thread.cpp:372
#10 0x00000000004ac51d in internal::SrsThread::thread_cycle (this=0x24957a0) at src/app/srs_app_thread.cpp:207
#11 0x00000000004ac730 in internal::SrsThread::thread_fun (arg=0x24957a0) at src/app/srs_app_thread.cpp:245
#12 0x0000000000526bf6 in _st_thread_main () at sched.c:327
@winlinvip winlinvip added the Bug It might be a bug. label Apr 18, 2017
@winlinvip winlinvip added this to the srs 2.0 release milestone Apr 18, 2017
@winlinvip winlinvip changed the title KERNEL: Crash for HTTP fast buffer to grow KERNEL: Crash when HTTP fast buffer grows Apr 18, 2017
@winlinvip winlinvip changed the title KERNEL: Crash when HTTP fast buffer grows KERNEL: Crash at HTTP fast buffer grow Apr 18, 2017
@winlinvip
Copy link
Member Author

winlinvip commented Apr 18, 2017

It seems that a request without a length was POSTed.

POST ch1 HTTP/1.1\r\n
Content-Type: application/flv-pushsetup\r\n
X-Accept-Authentication: Negotiate, NTLM, Digest\r\n
Accept: */*\r\n
User-Agent: WMEncoder/10.0.0.3802\r\n
Host: ossrs.net:8080\r\n
Connection: Keep-Alive\r\n
Cookie: push-id=0\r\n
Authorization:BASIC YWRtaW46MDAwMDA=\r\n\r\n

FLV\001\005

The HTTP header is only 263 bytes, and the rest is FLV data.

(gdb) p p+263
$25 = 0x237ee27 "FLV\001\005"

The buffer has been filled.

(gdb) p /x (int64_t)buffer
$9 = 0x237ed20
(gdb) p /x (int64_t)p     
$10 = 0x237ed20
(gdb) p /x (int64_t)end
$11 = 0x239ed20
(gdb) p end-p
$12 = 131072
(gdb) p nb_buffer
$13 = 131072

At this point, the buffer and P are at the same position, which means the buffer has not been consumed and is directly filled with data until it is full.

The characteristic of FastBuffer is that it can only hold 128KB, and if it becomes full, it will assert an error.

// the default recv buffer size, 128KB.
#define SRS_DEFAULT_RECV_BUFFER_SIZE 131072

The Buffer will only be reallocated when set_buffer is called.

Therefore, when the buffer is filled, it should return an error instead of asserting directly.

TRANS_BY_GPT3

@winlinvip
Copy link
Member Author

winlinvip commented Apr 18, 2017

The problem lies in using assert directly when moving memory, while the if statement is only evaluated later. Therefore, memory should only be moved if it is possible to do so. If there is not enough space, the memory can be directly not moved, and it will fail later when checking for insufficient space.

TRANS_BY_GPT3

@winlinvip winlinvip self-assigned this Sep 17, 2021
@winlinvip winlinvip added the TransByAI Translated by AI/GPT. label Jul 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug It might be a bug. TransByAI Translated by AI/GPT.
Projects
None yet
Development

No branches or pull requests

1 participant