Open Bug 1899230 Opened 1 year ago Updated 8 months ago

firefox-bin: /src/dom/media/webrtc/transport/third_party/nICEr/src/ice/ice_candidate.c:547: int nr_ice_candidate_compute_priority(nr_ice_candidate *): Assertion `stun_priority < 32' failed.

Categories

(Core :: WebRTC: Networking, defect, P3)

Product:
Core
Component:
WebRTC: Networking
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox128 --- affected

People

(Reporter: tsmith, Assigned: bwc)

References

(Depends on 1 open bug, Blocks 1 open bug,
URL
)

Details

(Keywords: assertion, pernosco)

Found with m-c 20240521-6919ad3b0886 (--enable-debug --enable-fuzzing)

This was found by visiting a live website with a debug build.

STR:

  • Launch browser and visit site

This issue was triggered by visiting http://admin.booking.com/.

firefox-bin: /builds/worker/checkouts/gecko/dom/media/webrtc/transport/third_party/nICEr/src/ice/ice_candidate.c:547: int nr_ice_candidate_compute_priority(nr_ice_candidate *): Assertion `stun_priority < 32' failed.

==11604==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x03e800002d54 (pc 0x7f558bbe49fc bp 0x000000002d59 sp 0x7f5588543d50 T11609)
    #0 0x7f558bbe49fc in __pthread_kill_implementation nptl/pthread_kill.c:44:76
    #1 0x7f558bbe49fc in __pthread_kill_internal nptl/pthread_kill.c:78:10
    #2 0x7f558bbe49fc in pthread_kill nptl/pthread_kill.c:89:10
    #3 0x7f558bb90475 in gsignal signal/../sysdeps/posix/raise.c:26:13
    #4 0x7f558bb767f2 in abort stdlib/abort.c:79:7
    #5 0x7f558bb7671a in __assert_fail_base assert/assert.c:92:3
    #6 0x7f558bb87e95 in __assert_fail assert/assert.c:101:3
    #7 0x7f557dc267f7 in nr_ice_candidate_compute_priority /builds/worker/checkouts/gecko/dom/media/webrtc/transport/third_party/nICEr/src/ice/ice_candidate.c:547:5
    #8 0x7f557dc25a67 in nr_ice_candidate_create /builds/worker/checkouts/gecko/dom/media/webrtc/transport/third_party/nICEr/src/ice/ice_candidate.c:180:10
    #9 0x7f557dc2c8d6 in nr_ice_component_initialize_udp /builds/worker/checkouts/gecko/dom/media/webrtc/transport/third_party/nICEr/src/ice/ice_component.c:273:16
    #10 0x7f557dc2c8d6 in nr_ice_component_initialize /builds/worker/checkouts/gecko/dom/media/webrtc/transport/third_party/nICEr/src/ice/ice_component.c:672:11
    #11 0x7f557dc357aa in nr_ice_media_stream_initialize /builds/worker/checkouts/gecko/dom/media/webrtc/transport/third_party/nICEr/src/ice/ice_media_stream.c:176:12
    #12 0x7f557dc355ea in nr_ice_gather /builds/worker/checkouts/gecko/dom/media/webrtc/transport/third_party/nICEr/src/ice/ice_ctx.c:892:14
    #13 0x7f557751ecfa in mozilla::NrIceCtx::StartGathering(bool, bool) /builds/worker/checkouts/gecko/dom/media/webrtc/transport/nricectx.cpp:933:11
    #14 0x7f557ac07ab5 in operator() /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/MediaTransportHandler.cpp:933:20
    #15 0x7f557ac07ab5 in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/MediaTransportHandler.cpp:913:7), void ((lambda at /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/MediaTransportHandler.cpp:913:7)::*)() const, const bool &> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:659:12
    #16 0x7f557ac07ab5 in InvokeCallbackMethod<false, (lambda at /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/MediaTransportHandler.cpp:913:7), void ((lambda at /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/MediaTransportHandler.cpp:913:7)::*)() const, const bool &, RefPtr<mozilla::MozPromise<bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, false>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:683:5
    #17 0x7f557ac07ab5 in mozilla::MozPromise<bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, false>::ThenValue<mozilla::MediaTransportHandlerSTS::StartIceGathering(bool, bool, nsTArray<mozilla::NrIceStunAddr> const&)::$_0, mozilla::MediaTransportHandlerSTS::StartIceGathering(bool, bool, nsTArray<mozilla::NrIceStunAddr> const&)::$_1>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, false>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:857:9
    #18 0x7f557ac01686 in mozilla::MozPromise<bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, false>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:488:21
    #19 0x7f5576573261 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
    #20 0x7f557657a23d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #21 0x7f55767f9631 in mozilla::net::nsSocketTransportService::Run() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:1198:11
    #22 0x7f55767faf5c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp
    #23 0x7f5576573261 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
    #24 0x7f557657a23d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #25 0x7f5577264fee in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #26 0x7f5577179bb1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #27 0x7f5577179bb1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #28 0x7f557656e533 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:370:10
    #29 0x7f558b33869f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #30 0x7f558bbe2ac2 in start_thread nptl/pthread_create.c:442:8
    #31 0x7f558bc73a03 in __clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100

A Pernosco session is available here: https://pernos.co/debug/7y5rWNVWvqpmn89yQPzXpw/index.html

Keywords: pernosco

I'm unable to repro, but the session reveals an RTCPeerConnection created with 40 ICE servers, a typical tracker pattern.

(pernosco) set $i = 0 
(pernosco) while $i < 40 
 >p component->stream->stun_servers[$i].addr.fqdn 
 >set $i = $i + 1 
 >end 
$1 = "stun.l.google.com", '\000' <repeats 238 times>
$2 = "stun.l.google.com", '\000' <repeats 238 times>
$3 = "stun1.l.google.com", '\000' <repeats 237 times>
$4 = "stun1.l.google.com", '\000' <repeats 237 times>
$5 = "stun2.l.google.com", '\000' <repeats 237 times>
$6 = "stun2.l.google.com", '\000' <repeats 237 times>
$7 = "stun3.l.google.com", '\000' <repeats 237 times>
$8 = "stun3.l.google.com", '\000' <repeats 237 times>
$9 = "stun4.l.google.com", '\000' <repeats 237 times>
$10 = "stun4.l.google.com", '\000' <repeats 237 times>
$11 = "stun.antisip.com", '\000' <repeats 239 times>
$12 = "stun.antisip.com", '\000' <repeats 239 times>
$13 = "stun.1und1.de", '\000' <repeats 242 times>
$14 = "stun.1und1.de", '\000' <repeats 242 times>
$15 = "stun.12voip.com", '\000' <repeats 240 times>
$16 = "stun.12voip.com", '\000' <repeats 240 times>
$17 = "stun.1und1.de", '\000' <repeats 242 times>
$18 = "stun.1und1.de", '\000' <repeats 242 times>
$19 = "stun.aa.net.uk", '\000' <repeats 241 times>
$20 = "stun.aa.net.uk", '\000' <repeats 241 times>
$21 = "stun.acrobits.cz", '\000' <repeats 239 times>
$22 = "stun.acrobits.cz", '\000' <repeats 239 times>
$23 = "stun.actionvoip.com", '\000' <repeats 236 times>
$24 = "stun.actionvoip.com", '\000' <repeats 236 times>
$25 = "stun.bluesip.net", '\000' <repeats 239 times>
$26 = "stun.bluesip.net", '\000' <repeats 239 times>
$27 = "stun.cablenet-as.net", '\000' <repeats 235 times>
$28 = "stun.cablenet-as.net", '\000' <repeats 235 times>
$29 = "stun.callromania.ro", '\000' <repeats 236 times>
$30 = "stun.callromania.ro", '\000' <repeats 236 times>
$31 = "stun.tel.lu", '\000' <repeats 244 times>
$32 = "stun.tel.lu", '\000' <repeats 244 times>
$33 = "stun.telbo.com", '\000' <repeats 241 times>
$34 = "stun.telbo.com", '\000' <repeats 241 times>
$35 = "stun.twt.it", '\000' <repeats 244 times>
$36 = "stun.twt.it", '\000' <repeats 244 times>
$37 = "stun.uls.co.za", '\000' <repeats 241 times>
$38 = "stun.uls.co.za", '\000' <repeats 241 times>
$39 = "stun.usfamily.net", '\000' <repeats 238 times>
$40 = "stun.usfamily.net", '\000' <repeats 238 times>
(pernosco)

nICEr assumes <= 32 stun servers here, going negative and creating a priority of 255.

Severity: -- → S3
Depends on: 1849404
Priority: -- → P2
Assignee: nobody → docfaraday
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.