Closed Bug 835835 Opened 7 years ago Closed 7 years ago

WebRTC use-after-free crash [@sipcc::PeerConnectionMedia::ShutdownMediaTransport]

Categories

(Core :: WebRTC, defect, P1, critical)

x86_64
macOS
defect

Tracking

()

RESOLVED DUPLICATE of bug 838169
Tracking Status
firefox19 --- disabled
firefox20 --- disabled
firefox21 + fixed
firefox-esr17 --- unaffected
b2g18 --- disabled

People

(Reporter: posidron, Assigned: ekr)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [webrtc][blocking-webrtc+][webrtc-asan-confused][adv-main21-])

Crash Data

Attachments

(2 files)

Attached file callstack
This crash occurred while running the media crash tests with an ASan enabled build.

$ ./mach crashtest dom/media/tests/crashtests


alloc: PeerConnectionMedia.cpp:75

nsresult PeerConnectionMedia::Init(const std::vector<NrIceStunServer>& stun_servers)
{
  // TODO(ekr@rtfm.com): need some way to set not offerer later
  // Looks like a bug in the NrIceCtx API.
  mIceCtx = NrIceCtx::Create("PC:" + mParent->GetHandle(), true);
[...]


free: stun_client_ctx.c:658

int nr_stun_client_process_response(nr_stun_client_ctx *ctx, UCHAR *msg, int len, nr_transport_addr *peer_addr)
  {
[...]
        /* Fire the callback */
        if (ctx->finished_cb) {
            NR_async_cb finished_cb = ctx->finished_cb;
            ctx->finished_cb = 0;  /* prevent 2nd call */
            /* finished_cb call must be absolutely last thing in function
             * because as a side effect this ctx may be operated on in the
             * callback */
            finished_cb(0,0,ctx->cb_arg);
        }
[...]


re-use: PeerConnectionImpl.cpp:1106

nsresult
PeerConnectionImpl::CloseInt(bool aIsSynchronous)
{
[...]
  ShutdownMedia(aIsSynchronous);
[...]


Tested with m-c changeset: 120102:0c45e6378f1f
Crash Signature: [@ sipcc::PeerConnectionMedia::ShutdownMediaTransport]
Assignee: nobody → ekr
Priority: -- → P1
Whiteboard: [webrtc][blocking-webrtc+]
Attached file testcase
Click the button and wait a few seconds.
Something is very screwy here, because we have a structure allocated with a C++ new and then
allegedly freed in a C code that doesn't even have a free.

I feel like ASan is giving bogus line numbers.
Flags: in-testsuite?
Whiteboard: [webrtc][blocking-webrtc+] → [webrtc][blocking-webrtc+][webrtc-asan-confused]
cdiehl: please retest with fix in bug 838169
Flags: needinfo?(cdiehl)
Looks fixed, can't reproduce it anymore.
Flags: needinfo?(cdiehl)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 838169
Flags: in-testsuite?
Whiteboard: [webrtc][blocking-webrtc+][webrtc-asan-confused] → [webrtc][blocking-webrtc+][webrtc-asan-confused][adv-main21-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.