[libnice] NULL dereference on socket_is_reliable
Philip Withnall
philip at tecnocode.co.uk
Tue Nov 17 16:14:24 PST 2015
Hi,
Sorry for the slow reply.
On Thu, 2015-11-05 at 23:11 -0300, alberto wrote:
> <<<
> …
> (process:350): libnice-DEBUG: Agent 0x9a0e000: NiceSocket 0x9a16d20
> has
> received HUP
This is the cause of your problem — the NiceSocket has been closed due
to receiving HUP. The crash is a symptom of trying to perform
operations on a closed socket.
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0xe8affb40 (LWP 413)]
> 0xf55c5896 in socket_is_reliable (sock=0x9a16d20) at udp-turn-over-
> tcp.c:442
> 442 return nice_socket_is_reliable (priv->base_socket);
> (gdb) where
> #0 0xf55c5896 in socket_is_reliable (sock=0x9a16d20) at
> udp-turn-over-tcp.c:442
> #1 0xf55c297d in nice_socket_is_reliable (sock=sock at entry=0x9a16d20)
> at
> socket.c:249
> #2 0xf55b1696 in agent_socket_send (sock=0x9a16d20,
> addr=addr at entry=0x9aae6ac, len=92, buf=buf at entry=0x9ab0c88 "") at
> agent.c:5992
> #3 0xf55b8a07 in priv_discovery_tick_unlocked
> (pointer=pointer at entry=0x9a0e000) at discovery.c:1130
> #4 0xf55b8b42 in priv_discovery_tick (pointer=0x9a0e000) at
> discovery.c:1189
> #5 0xf545c312 in g_timeout_dispatch () from /usr/lib/libglib-
> 2.0.so.0
> #6 0xf545a5b5 in g_main_dispatch () from /usr/lib/libglib-2.0.so.0
> #7 0xf545b175 in g_main_context_dispatch () from /usr/lib/libglib-
> 2.0.so.0
> #8 0xf545b362 in g_main_context_iterate () from /usr/lib/libglib-
> 2.0.so.0
> #9 0xf545b7dc in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
> #10 0x08bbfac7 in DataChannel::Loop () at
> Src/datachannel/DataChannel.cpp:598
> #11 0x0915e83e in StartSeparateDelegateThread (thr=0x8bbfa66
> <DataChannel::Loop()>) at Src/Threads.cpp:73
> #12 0xf5395f70 in start_thread () from /lib/i386-linux-
> gnu/libpthread.so.0
> #13 0xf52cbbee in clone () from /lib/i386-linux-gnu/libc.so.6
> (gdb) p sock
> $1 = (NiceSocket *) 0x9a16d20
> (gdb) p sock->priv
> $2 = (void *) 0x0
> (gdb)
> >>>
>
> If we modify the file udp-turn-over-tcp.c on line 442 in the
> following way:
>
> 442 return priv->base_socket != NULL && nice_socket_is_reliable
> (priv->base_socket);
That said, the rest of the methods in udp-turn-over-tcp.c check whether
(socket->priv != NULL) before doing any work, so the
socket_is_reliable() method probably should too.
If you could write a patch for that and attach it here, that would be
great:
https://phabricator.freedesktop.org/maniphest/task/create/?projects=lib
nice
Thanks,
Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freedesktop.org/archives/nice/attachments/20151118/028e9d26/attachment.sig>
More information about the nice
mailing list