libnice issues
https://gitlab.freedesktop.org/libnice/libnice/-/issues
2018-11-19T00:19:37Z
https://gitlab.freedesktop.org/libnice/libnice/-/issues/54
AddressSanitizer: heap-use-after-free on udp-bsd sock->priv->gaddr
2018-11-19T00:19:37Z
Fabrice Bellet
fabrice@bellet.info
AddressSanitizer: heap-use-after-free on udp-bsd sock->priv->gaddr
Since a couple of commits, I see this heap-use-after-free error:
```
=================================================================
==21979==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600064a988 at pc 0x7f397a5ae631 ...
Since a couple of commits, I see this heap-use-after-free error:
```
=================================================================
==21979==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600064a988 at pc 0x7f397a5ae631 bp 0x7f390ade18f0 sp 0x7f390ade18e0
READ of size 4 at 0x60600064a988 thread T3504 (nicesrc568:src)
#0 0x7f397a5ae630 in g_object_unref /home/bellet/Development/glib/gobject/gobject.c:3246
#1 0x7f397a5ae630 in g_object_unref /home/bellet/Development/glib/gobject/gobject.c:3236
#2 0x7f39197c1695 in socket_send_message /home/bellet/Development/libnice/socket/udp-bsd.c:263
#3 0x7f39197c1695 in socket_send_messages /home/bellet/Development/libnice/socket/udp-bsd.c:305
#4 0x7f39197ba538 in nice_socket_send /home/bellet/Development/libnice/socket/socket.c:226
#5 0x7f391978a13e in agent_socket_send /home/bellet/Development/libnice/agent/agent.c:6582
#6 0x7f3919790166 in priv_conn_keepalive_tick_unlocked /home/bellet/Development/libnice/agent/conncheck.c:1437
#7 0x7f3919790a82 in priv_update_selected_pair /home/bellet/Development/libnice/agent/conncheck.c:1738
#8 0x7f391979c2ea in priv_map_reply_to_conn_check_request /home/bellet/Development/libnice/agent/conncheck.c:3242
#9 0x7f391979c2ea in conn_check_handle_inbound_stun /home/bellet/Development/libnice/agent/conncheck.c:4236
#10 0x7f39197865d7 in agent_recv_message_unlocked /home/bellet/Development/libnice/agent/agent.c:3999
#11 0x7f391978789c in component_io_cb /home/bellet/Development/libnice/agent/agent.c:5317
#12 0x7f397bc5d995 in socket_source_dispatch /home/bellet/Development/glib/gio/gsocket.c:3843
#13 0x7f397a22f19b in g_main_dispatch /home/bellet/Development/glib/glib/gmain.c:3178
#14 0x7f397a22f19b in g_main_context_dispatch /home/bellet/Development/glib/glib/gmain.c:3831
#15 0x7f397a22fa97 in g_main_context_iterate /home/bellet/Development/glib/glib/gmain.c:3904
#16 0x7f397a23007f in g_main_loop_run /home/bellet/Development/glib/glib/gmain.c:4100
#17 0x7f391760f073 (/usr/lib64/gstreamer-1.0/libgstnice.so+0x3073)
#18 0x7f39886e36ff in gst_push_src_create /home/bellet/Development/gstreamer/libs/gst/base/gstpushsrc.c:131
#19 0x7f39886b1f4c in gst_base_src_get_range /home/bellet/Development/gstreamer/libs/gst/base/gstbasesrc.c:2512
#20 0x7f39886b6045 in gst_base_src_loop /home/bellet/Development/gstreamer/libs/gst/base/gstbasesrc.c:2836
#21 0x7f39882dd683 in gst_task_func /home/bellet/Development/gstreamer/gst/gsttask.c:332
#22 0x7f39882df183 in default_func /home/bellet/Development/gstreamer/gst/gsttaskpool.c:69
#23 0x7f397a2854d6 in g_thread_pool_thread_proxy /home/bellet/Development/glib/glib/gthreadpool.c:307
#24 0x7f397a284385 in g_thread_proxy /home/bellet/Development/glib/glib/gthread.c:784
#25 0x7f3978835593 in start_thread (/lib64/libpthread.so.0+0x7593)
#26 0x7f3978568e6e in clone (/lib64/libc.so.6+0xf9e6e)
0x60600064a988 is located 40 bytes inside of 64-byte region [0x60600064a960,0x60600064a9a0)
freed by thread T3503 here:
#0 0x7f3989bd5880 in __interceptor_free (/usr/lib64/libasan.so.5+0xee880)
#1 0x7f397a23cd25 in g_free /home/bellet/Development/glib/glib/gmem.c:194
#2 0x7f397a270be9 in g_slice_free1 /home/bellet/Development/glib/glib/gslice.c:1136
#3 0x7f397a5f16ed in g_type_free_instance /home/bellet/Development/glib/gobject/gtype.c:1943
#4 0x7f397a5ae623 in g_object_unref /home/bellet/Development/glib/gobject/gobject.c:3355
#5 0x7f397a5ae623 in g_object_unref /home/bellet/Development/glib/gobject/gobject.c:3236
#6 0x7f39197c1695 in socket_send_message /home/bellet/Development/libnice/socket/udp-bsd.c:263
#7 0x7f39197c1695 in socket_send_messages /home/bellet/Development/libnice/socket/udp-bsd.c:305
#8 0x7f39197ba141 in nice_socket_send_messages /home/bellet/Development/libnice/socket/socket.c:153
#9 0x7f39197c5124 in _socket_send_messages_wrapped /home/bellet/Development/libnice/socket/udp-turn.c:658
#10 0x7f39197c55be in _socket_send_wrapped /home/bellet/Development/libnice/socket/udp-turn.c:721
#11 0x7f39197c7010 in priv_retransmissions_tick_unlocked /home/bellet/Development/libnice/socket/udp-turn.c:1764
#12 0x7f39197c8f68 in priv_retransmissions_tick /home/bellet/Development/libnice/socket/udp-turn.c:1860
#13 0x7f397a23049d in g_timeout_dispatch /home/bellet/Development/glib/glib/gmain.c:4651
#14 0x7f397a22f19b in g_main_dispatch /home/bellet/Development/glib/glib/gmain.c:3178
#15 0x7f397a22f19b in g_main_context_dispatch /home/bellet/Development/glib/glib/gmain.c:3831
#16 0x7f397a22fa97 in g_main_context_iterate /home/bellet/Development/glib/glib/gmain.c:3904
#17 0x7f397a23007f in g_main_loop_run /home/bellet/Development/glib/glib/gmain.c:4100
#18 0x7f3919a24cb0 in fs_nice_agent_main_thread /home/bellet/Development/farstream/transmitters/nice/fs-nice-agent.c:313
#19 0x7f397a284385 in g_thread_proxy /home/bellet/Development/glib/glib/gthread.c:784
#20 0x7f3978835593 in start_thread (/lib64/libpthread.so.0+0x7593)
```
I didn't bissect precisely the case, but it could be related to the removal of the global agent lock with commit da41258a.
Olivier Crête
olivier.crete@ocrete.ca
Olivier Crête
olivier.crete@ocrete.ca
https://gitlab.freedesktop.org/libnice/libnice/-/issues/33
segfault in g_socket_send_message
2018-11-22T00:34:59Z
Bugzilla Migration User
segfault in g_socket_send_message
## Submitted by Brian J. Murrell `@brianjmurrell`
Assigned to **Brian J. Murrell `@brianjmurrell`**
**[Link to original bug (#7869)](https://phabricator.freedesktop.org/T7869)**
## Description
I'm tying to use https://github.com/t...
## Submitted by Brian J. Murrell `@brianjmurrell`
Assigned to **Brian J. Murrell `@brianjmurrell`**
**[Link to original bug (#7869)](https://phabricator.freedesktop.org/T7869)**
## Description
I'm tying to use https://github.com/tieto/sipe on Fedora 26 which has:
```
$ rpm -qa | grep nice
libnice-devel-0.1.13-8.fc26.x86_64
libnice-0.1.13-8.fc26.x86_64
libnice-gstreamer1-0.1.13-8.fc26.x86_64
```
and getting a [[ https://github.com/tieto/sipe/files/1492935/ThreadStacktrace.txt | segfault ]] where the top 10 frames are:
```
# 0 0x00007f216e3569fb in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
# 1 0x00007f216e358800 in __GI_abort () at abort.c:89
# 2 0x000055fe5374904a in sighandler (sig=<optimized out>) at gtkmain.c:179
# 3 0x00007f216e7073b0 in <signal handler called> () at /lib64/libpthread.so.0
# 4 0x00007f2171f87934 in g_socket_send_message (socket=0x0, address=address@entry=0x0, vectors=0x7f20ec0113d0, num_vectors=2, messages=messages@entry=0x0, num_messages=num_messages@entry=0, flags=0, cancellable=0x0, error=0x7f2115ff7ca0) at gsocket.c:4254
# 5 0x00007f21582a5238 in socket_send_message (sock=sock@entry=0x7f2100042c30, message=message@entry=0x7f2115ff7da0, reliable=reliable@entry=0) at tcp-bsd.c:306
# 6 0x00007f21582a54a3 in socket_send_messages (sock=0x7f2100042c30, to=<optimized out>, messages=<optimized out>, n_messages=1) at tcp-bsd.c:360
# 7 0x00007f215828e5e1 in nice_agent_send_messages_nonblocking_internal (agent=0x55fe55914cd0 [NiceAgent], stream_id=<optimized out>, component_id=<optimized out>, messages=0x55fe566f2230, messages@entry=0x53c205021defcc00, n_messages=n_messages@entry=1, allow_partial=allow_partial@entry=0, error=0x0) at agent.c:4539
# 8 0x00007f215828eb87 in nice_agent_send_messages_nonblocking (agent=<optimized out>, stream_id=<optimized out>, component_id=<optimized out>, messages=0x53c205021defcc00, messages@entry=0x55fe566f2230, n_messages=n_messages@entry=1, cancellable=cancellable@entry=0x0, error=<optimized out>) at agent.c:4624
# 9 0x00007f21344f12ca in gst_nice_sink_render_buffers (sink=sink@entry=0x55fe5670a4f0 [GstNiceSink], buffers=buffers@entry=0x7f2115ff7ed8, num_buffers=num_buffers@entry=1, mem_nums=mem_nums@entry=0x7f2115ff7ee7 "\001", total_mem_num=<optimized out>) at gstnicesink.c:297
```
Is this a known issue that I need a fix for or should 0.1.13 be stable enough to use with pidgin-sipe?
It's very well worth mentioning that the Fedora packaging of 0.1.13 has a [[ http://pkgs.fedoraproject.org/cgit/rpms/libnice.git/tree/libnice-0.1.13-20160610.patch?h=f26 | nice sized patch ]] on it.
0.1.15
Olivier Crête
olivier.crete@ocrete.ca
Olivier Crête
olivier.crete@ocrete.ca
https://gitlab.freedesktop.org/libnice/libnice/-/issues/20
Crash in pseudo_tcp_socket_close()
2020-11-18T10:08:43Z
Bugzilla Migration User
Crash in pseudo_tcp_socket_close()
## Submitted by Jakub Adam `@xhaakon`
Assigned to **Jakub Adam `@xhaakon`**
**[Link to original bug (#7459)](https://phabricator.freedesktop.org/T7459)**
## Description
libnice may crash with the following stack when a stream is b...
## Submitted by Jakub Adam `@xhaakon`
Assigned to **Jakub Adam `@xhaakon`**
**[Link to original bug (#7459)](https://phabricator.freedesktop.org/T7459)**
## Description
libnice may crash with the following stack when a stream is being removed:
```
# 0 0x00007ffff0749044 in g_socket_send_message (socket=0x0, address=0x0, vectors=0x7ffffffeaaa0, num_vectors=1, messages=0x0, num_messages=0, flags=0, cancellable=0x0, error=0x7ffffffea980) at /build/glib2.0-wnDt2X/glib2.0-2.48.1/./gio/gsocket.c:4255
# 1 0x00007fffd5d99b9f in socket_send_message (sock=0x7fff50002120, message=0x7ffffffeaa90, reliable=0) at tcp-bsd.c:308
priv = 0x7fff50003400
ret = 54100183102001
gerr = 0x0
message_len = 24
# 2 0x00007fffd5d99d96 in socket_send_messages (sock=0x7fff50002120, to=0x555556a499e8, messages=0x7ffffffeaa90, n_messages=1) at tcp-bsd.c:363
message = 0x7ffffffeaa90
len = 140737345555503
i = 0
# 3 0x00007fffd5d97804 in nice_socket_send_messages (sock=0x7fff50002120, to=0x555556a499e8, messages=0x7ffffffeaa90, n_messages=1) at socket.c:153
__func__ = "nice_socket_send_messages"
# 4 0x00007fffd5d9a415 in socket_send_messages (sock=0x5555569cb0b0, to=0x555556a499e8, messages=0x7ffffffeaa90, n_messages=1) at tcp-passive.c:211
peer_socket = 0x7fff50002120
priv = 0x55555595d540
# 5 0x00007fffd5d97957 in nice_socket_send (sock=0x5555569cb0b0, to=0x555556a499e8, len=24, buf=0x7ffffffeab80 "") at socket.c:226
local_buf = {buffer = 0x7ffffffeab80, size = 24}
local_message = {buffers = 0x7ffffffeaaa0, n_buffers = 1}
ret = 32767
# 6 0x00007fffd5d75be7 in pseudo_tcp_socket_write_packet (psocket=0x555555963b00 [PseudoTcpSocket], buffer=0x7ffffffeab80 "", len=24, user_data=0x55555687dc00) at agent.c:1775
sock = 0x5555569cb0b0
addr = 0x555556a499e8
component = 0x55555687dc00 [NiceComponent]
__func__ = "pseudo_tcp_socket_write_packet"
# 7 0x00007fffd5d8f3ac in packet (self=0x555555963b00 [PseudoTcpSocket], seq=0, flags=FLAG_RST, offset=0, len=0, now=375458652) at pseudotcp.c:1415
priv = 0x55555687a310
buffer = {u8 = '\000' <repeats 13 times>, "\004\360\000\026a\v\\\000\000\000\000f\252G\033\320|\374Z", '\000' <repeats 160 times>, "\300Z\311\314\377\177\000\000"..., u16 = {0, 0, 0, 0, 0, 0, 1024, 240, 24854, 23563, 0, 0, 43622, 6983, 31952, 23292, 0 <repeats 80 times>, 23232, 52425, 32767, 0, 20416, 52425, 32767, 0, 10992, 22125, 21845, 0, 0, 0, 0, 0, 6416, 59872, 32767, 0, 10992, 22125, 21845, 0 <repeats 15 times>, 32797, 0, 74, 48, 0, 0, 0, 0, 0, 0, 25120, 22132, 21845, 0, 0, 0, 0, 0, 417, 0, 0, 0, 4448, 22125, 21845, 0, 0, 0, 0, 0, 1040, 0 <repeats 11 times>, 45408, 59871, 32767, 0, 45488, 59871, 32767, 0, 12288, 22132, 21845, 0, 64, 0, 0, 0, 46834, 24115, 0 <repeats 42 times>, 16, 0, 16, 0, 16, 0, 0, 0, 64, 0, 0, 0, 16, 0, 16, 0, 20036, 18757, 0, 0, 4511, 22125, 21845, 0, 4383, 22125, 21845, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 24706, 44610, 0 <repeats 11 times>, 1536, 8, 1056, 2048, 8224, 0, 0, 0, 0, 2979, 63357, 32767, 0, 0, 0, 0, 0, 13024...}, u32 = {0, 0, 0, 15729664, 1544249622, 0, 457681510, 1526496464, 0 <repeats 40 times>, 3435748032, 32767, 3435745216, 32767, 1449994992, 21845, 0, 0, 3923777808, 32767, 1449994992, 21845, 0, 0, 0, 0, 0, 0, 0, 32797, 3145802, 0, 0, 0, 1450467872, 21845, 0, 0, 417, 0, 1449988448, 21845, 0, 0, 1040, 0, 0, 0, 0, 0, 3923751264, 32767, 3923751344, 32767, 1450455040, 21845, 64, 0, 1580447474, 0 <repeats 21 times>, 16, 16, 16, 0, 64, 0, 16, 16, 1229278788, 0, 1449988511, 21845, 1449988383, 21845, 0, 0, 0, 0, 64, 0, 0, 2923585666, 0, 0, 0, 0, 0, 100663296, 69206024, 538970112, 0, 0, 4152167331, 32767, 0, 0, 1436431072, 21845, 0, 0, 253, 0, 4294881184, 32767, 1450467328, 21845, 1443646928, 21845, 1450000528, 21845, 1441175104, 21845, 4025674725, 32767, 0, 0, 526344, 8, 0, 0, 0, 0, 0, 0, 0, 0, 4294881200, 32767, 0, 0, 1436431072, 21845, 3435749008, 32767, 0, 0, 0, 0, 0, 0, 1450467888, 21845, 1450467340, 21845, 0, 0, 253, 0, 0, 0, 0, 0, 0, 0, 6, 0 <repeats 29 times>, 3435749904, 32767, 3435745248, 32767, 0, 0, 0, 0, 4116451840, 3929404425, 0, 0, 1436431072, 21845, 1450467328, 21845, 1443646928, 21845...}}
wres = WR_SUCCESS
__func__ = "packet"
# 8 0x00007fffd5d9112b in transmit (self=0x555555963b00 [PseudoTcpSocket], segment=0x555556a65e70, now=375458652) at pseudotcp.c:1967
seq = 0
flags = 4 '\004'
wres = WR_SUCCESS
priv = 0x55555687a310
nTransmit = 0
__func__ = "transmit"
# 9 0x00007fffd5d918e3 in attempt_send (self=0x555555963b00 [PseudoTcpSocket], sflags=sfRst) at pseudotcp.c:2131
cwnd = 180
nInFlight = 0
iter = 0x5555559724e0
sseg = 0x555556a65e70
nWindow = 1
nUseable = 1
nAvailable = 0
snd_buffered = 0
priv = 0x55555687a310
now = 375458652
bFirst = 0
# 10 0x00007fffd5d919ad in closedown (self=0x555555963b00 [PseudoTcpSocket], err=103, source=CLOSEDOWN_LOCAL) at pseudotcp.c:2152
priv = 0x55555687a310
# 11 0x00007fffd5d8ed41 in pseudo_tcp_socket_close (self=0x555555963b00 [PseudoTcpSocket], force=1) at pseudotcp.c:1239
priv = 0x55555687a310
# 12 0x00007fffd5d70a85 in nice_component_close (cmp=0x55555687dc00 [NiceComponent]) at component.c:283
data = 0x55555676a8a0
vec = 0x7fffd5d89d30 <discovery_free+38>
# 13 0x00007fffd5d8152e in nice_stream_close (stream=0x55555687a8c0 [NiceStream]) at stream.c:88
component = 0x55555687dc00 [NiceComponent]
i = 0x555555ef8950
# 14 0x00007fffd5d78ee9 in nice_agent_remove_stream (agent=0x555555cf8cb0 [NiceAgent], stream_id=1) at agent.c:3027
stream_ids = {1, 0}
stream = 0x55555687a8c0 [NiceStream]
__func__ = "nice_agent_remove_stream"
# 15 0x00007fff5a1232d8 in fs_nice_stream_transmitter_stop (streamtransmitter=0x55555676acb0 [FsNiceStreamTransmitter]) at fs-nice-stream-transmitter.c:517
self = 0x55555676acb0 [FsNiceStreamTransmitter]
gststream = 0x555555a1a1c0
stream_id = 1
...
```
It seems this happens when pseudo-TCP writes to a TCP-passive socket (which makes little sense to me - I don't care about pseudo-TCP socket when using actual TCP, but it gets created anyway).
I think the TCP passive socket crashes because its `connections` (from `TcpPassivePriv`) contains a reference to `NiceSocket` that has been already destroyed, but gets selected and used as `peer_socket` in `socket_send_messages()` (`# 4` on the stack). So, when cleaning up a socket in `nice_component_remove_socket()`, we should probably check and remove it also from `connections` lists of TCP-passives.
Olivier Crête
olivier.crete@ocrete.ca
Olivier Crête
olivier.crete@ocrete.ca