Closed
Bug 839941
Opened 12 years ago
Closed 12 years ago
WebRTC use-after-free crash [@nr_ice_peer_ctx_destroy_cb]
Categories
(Core :: WebRTC: Networking, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox20 | --- | disabled |
| firefox21 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | disabled |
People
(Reporter: posidron, Assigned: ekr)
References
Details
(4 keywords, Whiteboard: [WebRTC],[blocking-webrtc+][adv-main21-] fixed by bug 838169)
Attachments
(2 files)
This happened while running the attached testcase for a very long time approx. 30 minutes. The address/port used in the testcase was not reachable during that time.
alloc: ice_ctx.c245
236: int nr_ice_ctx_create(char *label, UINT4 flags, nr_ice_ctx **ctxp)
245: if(!(ctx=RCALLOC(sizeof(nr_ice_ctx))))
246: ABORT(R_NO_MEMORY);
free: ice_ctx.c:366
329: static void nr_ice_ctx_destroy_cb(NR_SOCKET s, int how, void *cb_arg)
[...]
366: RFREE(ctx);
re-use: ice_peer_ctx.c:315
301: static void nr_ice_peer_ctx_destroy_cb(NR_SOCKET s, int how, void *cb_arg)
[...]
315: STAILQ_REMOVE(&pctx->ctx->peers, pctx, nr_ice_peer_ctx_, entry);
316:
317: RFREE(pctx);
Tested with m-c changeset: 121432:08388ff940df -O1
|
Reporter | |
Comment 1•12 years ago
|
||
|
||
Comment 2•12 years ago
|
||
This feels like a dup; I'd swear I've seen this signature (or presumed source) before
Whiteboard: [WebRTC],[blocking-webrtc+]
|
Assignee | |
Comment 3•12 years ago
|
||
Let's retest after 838169 lands. It smells like it might be in the same area.
|
|
||
Updated•12 years ago
|
Assignee: nobody → ekr
|
||
Comment 4•12 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #3)
> Let's retest after 838169 lands. It smells like it might be in the same area.
cdiehl -- Bug 838169 has landed. Can you try to reproduce? Thanks.
Flags: needinfo?(cdiehl)
|
|
Reporter | |
Comment 5•12 years ago
|
||
I have tested it a few times again and got no crash.
Flags: needinfo?(cdiehl)
|
|
Assignee | |
Comment 6•12 years ago
|
||
OK, let's mark this closed.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
status-b2g18:
--- → disabled
status-firefox20:
--- → disabled
status-firefox21:
--- → fixed
status-firefox-esr17:
--- → unaffected
Depends on: 838169
Whiteboard: [WebRTC],[blocking-webrtc+] → [WebRTC],[blocking-webrtc+] fixed by bug 838169
|
||
Updated•12 years ago
|
Flags: in-testsuite?
|
||
Comment 8•12 years ago
|
||
Minus for in-testsuite - well, we can't exactly run a test case in CI for 30 minutes.
Flags: in-testsuite? → in-testsuite-
|
||
Updated•12 years ago
|
Whiteboard: [WebRTC],[blocking-webrtc+] fixed by bug 838169 → [WebRTC],[blocking-webrtc+][adv-main21-] fixed by bug 838169
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•