Crash in Hmac_ctx_new / stun_sha1
Hi , i am facing crash in libnice . It occured only once during a session in production . Unable to reproduce . Any insights on fixing this would be helpful . Have attached trace below .
Libnice version : v0.1.19 | OS : Debian GNU/Linux 10 (buster) | openssl version : OpenSSL 1.1.1n 15 Mar 2022 | glib version : 2.58
Thanks .
gdb backtrce
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
bt
Core was generated by `./stun_handler -nc'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f02bdc8b6ad in _int_malloc (av=av@entry=0x7efb60000020, bytes=bytes@entry=48) at malloc.c:3615
3615 malloc.c: No such file or directory.
[Current thread is 1 (Thread 0x7ef61ffcf700 (LWP 33265))]
(gdb) bt
#0 0x00007f02bdc8b6ad in _int_malloc (av=av@entry=0x7efb60000020, bytes=bytes@entry=48) at malloc.c:3615
#1 0x00007f02bdc8d5fa in __GI___libc_malloc (bytes=48) at malloc.c:3068
#2 0x00007f02be6a18d9 in CRYPTO_zalloc () at /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#3 0x00007f02be69caa5 in () at /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#4 0x00007f02be69cec5 in HMAC_CTX_reset () at /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#5 0x00007f02be69cf77 in HMAC_CTX_new () at /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#6 0x00007f02be4f5b89 in stun_sha1 (msg=0x7efb60000b20 "", len=92, msg_len=<optimized out>, sha=sha@entry=0x7ef61ffcdf20 "\202y\017\222�~", key=0x7efa703801b1, keylen=22, padding=0)
at ../stun/stunhmac.c:151
#7 0x00007f02be4f3fa5 in stun_agent_validate
(agent=agent@entry=0x7efa70600930, msg=msg@entry=0x7ef61ffce0e0, buffer=buffer@entry=0x7efb60000b20 "", buffer_len=buffer_len@entry=100, validater=validater@entry=0x7f02be4d9220 <conncheck_stun_validater>, validater_data=validater_data@entry=0x7ef61ffce0c0) at ../stun/stunagent.c:312
#8 0x00007f02be4de89d in conn_check_handle_inbound_stun
(agent=agent@entry=0x7f00a8063000, stream=stream@entry=0x7efa70380070, component=component@entry=0x7efa706007c0, nicesock=0x7efa140b09c0, from=0x7ef61ffcea70, buf=buf@entry=0x7efb60000b20 "", len=100) at ../agent/conncheck.c:4538
#9 0x00007f02be4d3c92 in agent_recv_message_unlocked
(agent=agent@entry=0x7f00a8063000, stream=stream@entry=0x7efa70380070, component=component@entry=0x7efa706007c0, nicesock=<optimized out>, message=message@entry=0x7ef61ffceba0)
at ../agent/agent.c:4472
#10 0x00007f02be4d4688 in component_io_cb (gsocket=<optimized out>, condition=<optimized out>, user_data=0x7f00ac017d20) at ../agent/agent.c:6038
#11 0x00007f02bdadc689 in () at /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#12 0x00007f02bd921e98 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x00007f02bd922288 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#14 0x00007f02bd922582 in g_main_loop_run () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x00007f02bdea3046 in switch_event_loop (data=0x7efa70057ec0) at src/switch_agent.c:30
#16 0x00007f02bd94a4d5 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#17 0x00007f02bddd0fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#18 0x00007f02bdd01eff in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb)
gdb backtrace full
(gdb) bt full
#0 0x00007f02bdc8b6ad in _int_malloc (av=av@entry=0x7efb60000020, bytes=bytes@entry=48) at malloc.c:3615
tc_victim = 0x5
victim_idx = <optimized out>
tc_idx = 2
p = 0x7efb60010f50
fb = 0x7efb60000040
pp = <optimized out>
nb = 64
idx = 2
bin = <optimized out>
victim = 0x7efb60010f50
size = <optimized out>
victim_index = <optimized out>
remainder = <optimized out>
remainder_size = <optimized out>
block = <optimized out>
bit = <optimized out>
map = <optimized out>
fwd = <optimized out>
bck = <optimized out>
tcache_unsorted_count = <optimized out>
tcache_nb = <optimized out>
tc_idx = <optimized out>
return_cached = <optimized out>
__PRETTY_FUNCTION__ = "_int_malloc"
#1 0x00007f02bdc8d5fa in __GI___libc_malloc (bytes=48) at malloc.c:3068
ar_ptr = 0x7efb60000020
victim = <optimized out>
hook = <optimized out>
tbytes = <optimized out>
tc_idx = 2
__PRETTY_FUNCTION__ = "__libc_malloc"
#2 0x00007f02be6a18d9 in CRYPTO_zalloc () at /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#3 0x00007f02be69caa5 in () at /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#4 0x00007f02be69cec5 in HMAC_CTX_reset () at /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#5 0x00007f02be69cf77 in HMAC_CTX_new () at /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#6 0x00007f02be4f5b89 in stun_sha1 (msg=0x7efb60000b20 "", len=92, msg_len=<optimized out>, sha=sha@entry=0x7ef61ffcdf20 "\202y\017\222�~", key=0x7efa703801b1, keylen=22, padding=0)
at ../stun/stunhmac.c:151
ret = <optimized out>
ctx = <optimized out>
fakelen = 18432
pad_char = '\000' <repeats 63 times>
__PRETTY_FUNCTION__ = "stun_sha1"
#7 0x00007f02be4f3fa5 in stun_agent_validate
(agent=agent@entry=0x7efa70600930, msg=msg@entry=0x7ef61ffce0e0, buffer=buffer@entry=0x7efb60000b20 "", buffer_len=buffer_len@entry=100, validater=validater@entry=0x7f02be4d9220 <conncheck_stun_validater>, validater_data=validater_data@entry=0x7ef61ffce0c0) at ../stun/stunagent.c:312
msg_id = "!\022�BHHpIG2oMLDUU"
len = <optimized out>
username = <optimized out>
username_len = 9
key = 0x7efa703801b1 "ChJuB6hXxjD1OcJkTS5WTb"
key_len = 22
hash = 0x7efb60000b68 "\217+Cv��\001�\022\033p��`\224��Y@�\200("
--Type <RET> for more, q to quit, c to continue without paging--
sha = "\202y\017\222�~\000\000ALO�\002\177\000\000�\022&`"
hlen = 20
implementation_version = 2818977792
sent_id_idx = -1
unknown = 48720
error_code = 32514
ignore_credentials = <optimized out>
long_term_key = '\000' <repeats 15 times>
long_term_key_valid = false
#8 0x00007f02be4de89d in conn_check_handle_inbound_stun
(agent=agent@entry=0x7f00a8063000, stream=stream@entry=0x7efa70380070, component=component@entry=0x7efa706007c0, nicesock=0x7efa140b09c0, from=0x7ef61ffcea70, buf=buf@entry=0x7efb60000b20 "", len=100) at ../agent/conncheck.c:4538
sockaddr =
{storage = {ss_family = 2, __ss_padding = "\224C�K\217 \000\000\000\000\000\000\000\000]\000\000\000�~\000\000��\234��U\000\000 x\020\210\002\177\000\000\001\224��\002\177\000\000\000\000\000\000\000\000\000\000�@\235��U", '\000' <repeats 30 times>, "\024\000\000\000\001\000\000\000�U\000\000�\214��\002\177\000\000\000��\037�~\000", __ss_align = 94171446444544}, addr = {sa_family = 2, sa_data = "\224C�K\217 \000\000\000\000\000\000\000"}}
rbuf = "\001\001\000<!\022�BqnN7RydrVRm0\000 \000\b\000\001�Q\220Y+b\000\006\000\t9ROA:Cl5I \000\b\000\024x@\224\000�0\002�z�<\037#b\037i�\020@B\200(\000\004�:\236�\000\000\000\000\000\000\000\000���\000\000\000\000\000m��\037�~\000\000\000\006�\030n�Ca\031�$�\002\177\000\000\004\000\000\000\000\000\000\000J�&�\002\177\000\000��ap�~\000\000\001\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000�W\000`�~\000\000;b��\002\177\000\000��$�\002\177\000\000x��\037�~\000\000\000\000\000\000\000\000\000\000"...
res = <optimized out>
rbuf_len = 1300
control = false
uname = "0��\037�~\000\000\v\000\000\000\000\000\000\000\v\000\000\000\000\000\000\000\v\000\000\000\000\000\000\000L��\037�~\000\000\231\033\224�\002\177\000\000\000U\000`�~\000\000�\024Ƚ\002\177\000\000\000\200���~\000\000\000\230\000`�~\000\000e\230\000`�~\000\000\000\230\000`�~\000\000\000\230\000`�~\000\000n\230\000`�~\000\000,\231\000`�~\000\000\000\230\000`�~\000\000,\231\000`�~", '\000' <repeats 43 times>, "��\037\200\000\000\000�%�\002\177\000\000\000\000$�\002\177\000\000\000\000\000\000\000\000\000\000"...
uname_len = <optimized out>
username = <optimized out>
username_len = 9
req = {agent = 0x7efa70600930, buffer = 0x7efb60000b20 "", buffer_len = 100, key = 0x0, key_len = 0, long_term_key = "�\230��\002\177\000\000���\037�~\000", long_term_valid = false}
msg =
{agent = 0x7efa70600930, buffer = 0x7ef61ffce4b0 "\001\001", buffer_len = 1300, key = 0x7efa703801b1 "ChJuB6hXxjD1OcJkTS5WTb", key_len = 22, long_term_key = "�\230��\002\177\000\000���\037�~\000", long_term_valid = false}
valid = <optimized out>
validater_data = {agent = 0x7f00a8063000, stream = 0x7efa70380070, component = 0x7efa706007c0, password = 0x0}
i = <optimized out>
j = <optimized out>
remote_candidate = 0x0
remote_candidate2 = 0x0
local_candidate = 0x0
discovery_msg = 0
__func__ = "conn_check_handle_inbound_stun"
#9 0x00007f02be4d3c92 in agent_recv_message_unlocked
(agent=agent@entry=0x7f00a8063000, stream=stream@entry=0x7efa70380070, component=component@entry=0x7efa706007c0, nicesock=<optimized out>, message=message@entry=0x7ef61ffceba0)
at ../agent/agent.c:4472
handled = <optimized out>
big_buf = 0x7efb60000b20 ""
big_buf_len = 100
validated_len = <optimized out>
provided_message = 0x7ef61ffceba0
rfc4571_message = {buffers = 0x7efa706068e0, n_buffers = -1114684665, from = 0x7efa706068e0, length = 139649746944902}
rfc4571_buf = {buffer = 0x1, size = 139649759564304}
from =
{s = {addr = {sa_family = 2, sa_data = "\224C�K\217 \000\000\000\000\000\000\000"}, ip4 = {sin_family = 2, sin_port = 17300, sin_addr = {s_addr = 546261937}, sin_zero = "\000\000\000\000\00--Type <RET> for more, q to quit, c to continue without paging--
0\000\000"}, ip6 = {sin6_family = 2, sin6_port = 17300, sin6_flowinfo = 546261937, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 1610641920}}}
retval = <optimized out>
sockret = <optimized out>
__func__ = "agent_recv_message_unlocked"
#10 0x00007f02be4d4688 in component_io_cb (gsocket=<optimized out>, condition=<optimized out>, user_data=0x7f00ac017d20) at ../agent/agent.c:6038
local_bufs = {buffer = 0x7efa7063bbf0, size = 65535}
local_message = {buffers = 0x7ef61ffceb80, n_buffers = 1, from = 0x7ef61ffcea70, length = 100}
retval = <optimized out>
socket_source = 0x7f00ac017d20
component = 0x7efa706007c0
agent = 0x7f00a8063000
stream = 0x7efa70380070
has_io_callback = <optimized out>
remove_source = 0
__func__ = "component_io_cb"
#11 0x00007f02bdadc689 in () at /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#12 0x00007f02bd921e98 in g_main_context_dispatch () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x00007f02bd922288 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#14 0x00007f02bd922582 in g_main_loop_run () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#15 0x00007f02bdea3046 in switch_event_loop (data=0x7efa70057ec0) at src/switch_agent.c:30
loop = 0x7efa70057ec0
#16 0x00007f02bd94a4d5 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#17 0x00007f02bddd0fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
ret = <optimized out>
pd = <optimized out>
now = <optimized out>
unwind_buf =
{cancel_jmp_buf = {{jmp_buf = {139595563726592, 1744222245648002521, 139596385976462, 139596385976463, 139595563726592, 139614086332096, -1884607881233371687, -1859490361563615783}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
#18 0x00007f02bdd01eff in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95