[jira] [Commented] (DISPATCH-1941) Crash in HTTP1 adaptor: member access within null pointer of type 'const struct qd_buffer_t'

Sun, 31 Jan 2021 09:53:06 -0800 


    [ 
https://issues.apache.org/jira/browse/DISPATCH-1941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17275950#comment-17275950
 ] 

Jiri Daněk commented on DISPATCH-1941:
--------------------------------------

Reproducer test at https://github.com/apache/qpid-dispatch/pull/1010

{code}
class CrashingHTTPTest(TestCase):
    @classmethod
    def setUpClass(cls):
        super(CrashingHTTPTest, cls).setUpClass()

        cls.httpListener_port = cls.tester.get_port()
        cls.httpConnector_port = cls.tester.get_port()
        config = Qdrouterd.Config([
            ('router', {'mode': 'standalone', 'id': 'QDR'}),
            ('listener', {'port': cls.tester.get_port(), 'role': 'normal', 
'host': '0.0.0.0'}),
            ('httpListener', {
                'port': str(cls.httpListener_port),
                'address': 'examples',
                'host': '127.0.0.1',
                'protocolVersion': 'HTTP1'
            }),
            ('httpConnector', {
                'port': str(cls.httpConnector_port),
                'address': 'examples',
                'host': '127.0.0.1',
                'protocolVersion': 'HTTP1',
                'name': 'http-server'
            })
        ])

        cls.router_qdr = cls.tester.qdrouterd("http-crash-router", config, 
wait=True)

    def test_crash_http1_01_weird_server(self):
        client_request_to_router = (
            0x00, 0x47, 0x45, 0x54, 0x20, 0x2f, 0x3f, 0x61,
            0x6d, 0x65, 0x70, 0x69, 0x66, 0x3d, 0x68, 0x6e,
            0x70, 0x6b, 0x6a, 0x67, 0x20, 0x48, 0x54, 0x54,
            0x50, 0x2f, 0x31, 0x2e, 0x31, 0x0d, 0x0a, 0x58,
            0x2d, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x4d,
            0x65, 0x3a, 0x20, 0x70, 0x6c, 0x65, 0x61, 0x73,
            0x65, 0x20, 0x40, 0x20, 0x73, 0x70, 0x61, 0x6d,
            0x62, 0x6f, 0x74, 0x5f, 0x69, 0x72, 0x63, 0x20,
            0x2b, 0x20, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74,
            0x20, 0x75, 0x6e, 0x69, 0x6f, 0x6e, 0x0d, 0x0a,
            0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65,
            0x6e, 0x74, 0x3a, 0x20, 0x73, 0x63, 0x72, 0x69,
            0x70, 0x74, 0x2d, 0x68, 0x74, 0x74, 0x70, 0x77,
            0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x65, 0x20, 0x40,
            0x20, 0x73, 0x70, 0x61, 0x6d, 0x62, 0x6f, 0x74,
            0x5f, 0x69, 0x72, 0x63, 0x20, 0x2b, 0x20, 0x73,
            0x65, 0x6c, 0x65, 0x63, 0x74, 0x20, 0x75, 0x6e,
            0x69, 0x6f, 0x6e, 0x0d, 0x0a, 0x58, 0x2d, 0x57,
            0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x65, 0x3a, 0x20,
            0x31, 0x34, 0x30, 0x30, 0x38, 0x36, 0x36, 0x37,
            0x35, 0x34, 0x38, 0x32, 0x30, 0x30, 0x30, 0x0d,
            0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, 0x6c,
            0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74,
            0x2e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x64, 0x6f,
            0x6d, 0x61, 0x69, 0x6e, 0x0d, 0x0a, 0x0d, 0x0a)

        s = socket.create_connection(('localhost', self.httpListener_port))
        s.send(bytes(client_request_to_router))
        s.close()

        server_reply_to_router = (
            0x00, 0x00, 0x06, 0x04, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x64)

        a = socket.socket()
        a.bind(('localhost', self.httpConnector_port))
        a.listen()
        s, i = a.accept()
        s.send(bytes(server_reply_to_router))
        s.close()
        a.close()
        import time
        time.sleep(10)  # give the router time to realize the ground has 
disappeared under it
        # and crash!
{code}

> Crash in HTTP1 adaptor: member access within null pointer of type 'const 
> struct qd_buffer_t'
> --------------------------------------------------------------------------------------------
>
>                 Key: DISPATCH-1941
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-1941
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Protocol Adaptors
>            Reporter: Jiri Daněk
>            Priority: Major
>
> https://github.com/jiridanek/qpid-dispatch/runs/1801886361?check_suite_focus=true#step:9:1844
> {noformat}
> ../include/qpid/dispatch/buffer.h:83:44: runtime error: member access within 
> null pointer of type 'const struct qd_buffer_t'
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==31711==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 
> 0x7fb51d73dd10 bp 0x7fb50883e7b0 sp 0x7fb50883e790 T4)
> ==31711==The signal is caused by a READ memory access.
> ==31711==Hint: address points to the zero page.
>     #0 0x7fb51d73dd10 in qd_buffer_cursor ../include/qpid/dispatch/buffer.h:83
>     #1 0x7fb51d741af7 in ensure_outgoing_capacity 
> ../src/adaptors/http1/http1_codec.c:346
>     #2 0x7fb51d741bbd in write_string ../src/adaptors/http1/http1_codec.c:356
>     #3 0x7fb51d753cf3 in h1_codec_tx_request 
> ../src/adaptors/http1/http1_codec.c:1448
>     #4 0x7fb51d79435a in _send_request_headers 
> ../src/adaptors/http1/http1_server.c:1291
>     #5 0x7fb51d795193 in _encode_request_message 
> ../src/adaptors/http1/http1_server.c:1369
>     #6 0x7fb51d79671b in _send_request_message 
> ../src/adaptors/http1/http1_server.c:1431
>     #7 0x7fb51d7973e7 in qdr_http1_server_core_link_deliver 
> ../src/adaptors/http1/http1_server.c:1505
>     #8 0x7fb51d761042 in _core_link_deliver 
> ../src/adaptors/http1/http1_adaptor.c:569
>     #9 0x7fb51d96fc71 in qdr_link_process_deliveries 
> ../src/router_core/transfer.c:176
>     #10 0x7fb51d760d1b in _core_link_push 
> ../src/adaptors/http1/http1_adaptor.c:550
>     #11 0x7fb51d8ab61e in qdr_connection_process 
> ../src/router_core/connections.c:412
>     #12 0x7fb51d786664 in _do_reconnect 
> ../src/adaptors/http1/http1_server.c:417
>     #13 0x7fb51d9f701a in qd_timer_visit ../src/timer.c:201
>     #14 0x7fb51d9e59c5 in handle ../src/server.c:1008
>     #15 0x7fb51d9e764d in thread_run ../src/server.c:1122
>     #16 0x7fb51d87006f in _thread_init ../src/posix/threading.c:172
>     #17 0x7fb51d18beac in start_thread 
> (/nix/store/9df65igwjmf2wbw0gbrrgair6piqjgmi-glibc-2.31/lib/libpthread.so.0+0x7eac)
>     #18 0x7fb51c327d2e in __GI___clone 
> (/nix/store/9df65igwjmf2wbw0gbrrgair6piqjgmi-glibc-2.31/lib/libc.so.6+0xf7d2e)
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV ../include/qpid/dispatch/buffer.h:83 in 
> qd_buffer_cursor
> Thread T4 created by T0 here:
>     #0 0x7fb51e1a22a2 in __interceptor_pthread_create 
> (/nix/store/9f76hk7scn4lll0rc7da0rixhgc8r28a-gcc-10.2.0-lib/lib/libasan.so.6+0x582a2)
>     #1 0x7fb51d8701da in sys_thread ../src/posix/threading.c:181
>     #2 0x7fb51d9ee89d in qd_server_run ../src/server.c:1482
>     #3 0x4026e4 in main_process ../router/src/main.c:113
>     #4 0x404564 in main ../router/src/main.c:367
>     #5 0x7fb51c253c7c in __libc_start_main 
> (/nix/store/9df65igwjmf2wbw0gbrrgair6piqjgmi-glibc-2.31/lib/libc.so.6+0x23c7c)
> ==31711==ABORTING
> <<<<
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to