Closed Bug 839941 Opened 7 years ago Closed 7 years ago

WebRTC use-after-free crash [@nr_ice_peer_ctx_destroy_cb]

Categories

(Core :: WebRTC: Networking, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox20 --- disabled
firefox21 --- fixed
firefox-esr17 --- unaffected
b2g18 --- disabled

People

(Reporter: posidron, Assigned: ekr)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [WebRTC],[blocking-webrtc+][adv-main21-] fixed by bug 838169)

Attachments

(2 files)

Attached file testcase
This happened while running the attached testcase for a very long time approx. 30 minutes. The address/port used in the testcase was not reachable during that time.

alloc: ice_ctx.c245
236: int nr_ice_ctx_create(char *label, UINT4 flags, nr_ice_ctx **ctxp)
245:    if(!(ctx=RCALLOC(sizeof(nr_ice_ctx))))
246:      ABORT(R_NO_MEMORY);

free: ice_ctx.c:366
329: static void nr_ice_ctx_destroy_cb(NR_SOCKET s, int how, void *cb_arg) 
[...]
366:    RFREE(ctx);

re-use: ice_peer_ctx.c:315
301: static void nr_ice_peer_ctx_destroy_cb(NR_SOCKET s, int how, void *cb_arg) 
[...]
315:    STAILQ_REMOVE(&pctx->ctx->peers, pctx, nr_ice_peer_ctx_, entry);
316:
317:    RFREE(pctx);

Tested with m-c changeset: 121432:08388ff940df -O1
Attached file callstack
This feels like a dup; I'd swear I've seen this signature (or presumed source) before
Whiteboard: [WebRTC],[blocking-webrtc+]
Let's retest after 838169 lands. It smells like it might be in the same area.
Assignee: nobody → ekr
(In reply to Eric Rescorla (:ekr) from comment #3)
> Let's retest after 838169 lands. It smells like it might be in the same area.

cdiehl -- Bug 838169 has landed.  Can you try to reproduce?  Thanks.
Flags: needinfo?(cdiehl)
I have tested it a few times again and got no crash.
Flags: needinfo?(cdiehl)
OK, let's mark this closed.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Marking verified per comment 5.
Status: RESOLVED → VERIFIED
Depends on: 838169
Whiteboard: [WebRTC],[blocking-webrtc+] → [WebRTC],[blocking-webrtc+] fixed by bug 838169
Flags: in-testsuite?
Minus for in-testsuite - well, we can't exactly run a test case in CI for 30 minutes.
Flags: in-testsuite? → in-testsuite-
Whiteboard: [WebRTC],[blocking-webrtc+] fixed by bug 838169 → [WebRTC],[blocking-webrtc+][adv-main21-] fixed by bug 838169
Group: core-security
You need to log in before you can comment on or make changes to this bug.