SDP buffer not null-terminated if generated offer larger than 2048 bytes

RESOLVED FIXED in mozilla19

Status

()

--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: jesup, Assigned: ehugg)

Tracking

({crash})

Trunk
mozilla19
x86_64
Windows 7
crash
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [WebRTC], [blocking-webrtc+][fixed by bug 798873][qa-])

Attachments

(1 obsolete attachment)

(Reporter)

Description

6 years ago
In local_video_test.html after the rev 2820 webrtc.org merge, windows crashes when it should put up the remote video element.  Mac and Linux seem to be ok.

Partly mangled output on one run may be a hint:

BORT: CRT ASSERT c:\tools\msvs!!! in executeNext: 10!!! Queue for {ae7e2108-75f7
\iea1-9f36-f4ee24c36c37} is currently: []\vc
lude\vector(932) : Assertion failed: vector subscript out of range

Will try to get more info once I rebuild.

Updated

6 years ago
Keywords: crash
(Reporter)

Comment 1

6 years ago
Created attachment 665716 [details] [diff] [review]
Sanity-check attribute vector
(Reporter)

Comment 2

6 years ago
Comment on attachment 665716 [details] [diff] [review]
Sanity-check attribute vector

Note this doesn't solve the problem, merely sanity-checks to avoid crashes.
Attachment #665716 - Flags: review?(ekr)
(Reporter)

Comment 3

6 years ago
13708[7268df0]: NrIceCtx(PC:70a32290): state 0->1
13708[7268df0]: NrIceCtx(PC:631ea093): state 0->1
13708[7268df0]: NrIceCtx(PC:70a32290): state 1->2
13708[7268df0]: Gathered all ICE candidates for 'PC:70a32290'
13708[7268df0]: NrIceCtx(PC:631ea093): state 1->2
13708[7268df0]: Gathered all ICE candidates for 'PC:631ea093'
0[1232b3f8]: Couldn't parse attributes for stream stream3'
(Reporter)

Comment 4

6 years ago
Additional debugging shows that the SDP buffer size is too small, and something isn't null-terminating when it hits the limit (perhaps adding ice candidates).

Bumping CCSIP_SDP_BUF_SIZE from 2048 to 4096 hides the problem on my laptop (it has wired, wireless and also a VM that appears as an interface, which may increase the number of ICE candidates).
Assignee: nobody → ethanhugg
(Reporter)

Updated

6 years ago
Summary: Crash either on receiving video stream or installing answer → SDP buffer not null-terminated if generated offer larger than 2048 bytes

Updated

6 years ago
Whiteboard: [WebRTC], [blocking-webrtc+]
(Assignee)

Comment 5

6 years ago
This should be fixed in the patch to 798873 where the hard limit to SDP size has been removed.
(Reporter)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [WebRTC], [blocking-webrtc+] → [WebRTC], [blocking-webrtc+][fixed by bug 798873]
Depends on: 798873

Updated

6 years ago
Target Milestone: --- → mozilla19

Updated

6 years ago
Whiteboard: [WebRTC], [blocking-webrtc+][fixed by bug 798873] → [WebRTC], [blocking-webrtc+][fixed by bug 798873][qa-]

Updated

6 years ago
Flags: in-testsuite?
(In reply to Randell Jesup [:jesup] from comment #0)
> In local_video_test.html after the rev 2820 webrtc.org merge, windows
> crashes when it should put up the remote video element.  Mac and Linux seem
> to be ok.

Where can I find that testcase? We re-imaged the alder branch so it's gone. It will be hard to create a testcase if we can't reproduce it.
(Reporter)

Comment 7

6 years ago
The old alder is mothballed at http://hg.mozilla.org/users/rjesup_wgate.com/alder-mothball
(Reporter)

Comment 8

6 years ago
Comment on attachment 665716 [details] [diff] [review]
Sanity-check attribute vector

Bump.  Belt and suspenders...
(Reporter)

Comment 9

6 years ago
Comment on attachment 665716 [details] [diff] [review]
Sanity-check attribute vector

Never mind, this was fixed another way
Attachment #665716 - Attachment is obsolete: true
Attachment #665716 - Flags: review?(ekr)
You need to log in before you can comment on or make changes to this bug.