Segmentation fault in http mode

Question

Segmentation fault in http mode

JimLee1996 opened this issue 2 years ago · comments

JimLee1996 commented 2 years ago

Running on k2p padavan
xfrpc: 2.1.606

config:

[common]
server_addr = 192.168.2.2
server_port = 7000
token = ***

[Router-747d245360cd]
type = http
local_port = 80
custom_domains = 747d245360cd.frp.example.com

logs:

K2P:/tmp # ./xfrpc -c /etc/storage/frpc.ini -f -d 7
[7][Mon Jan 23 16:01:48 2023][6940](config.c:328) Reading configuration file '/etc/storage/frpc.ini'
[7][Mon Jan 23 16:01:48 2023][6940](config.c:95) Section[common]: {server_addr:192.168.2.2, server_port:7000, auth_token:***, interval:30, timeout:90}
[7][Mon Jan 23 16:01:48 2023][6940](config.c:120) Proxy service 0: {name:Router-747d245360cd, local_port:80, type:http}
[7][Mon Jan 23 16:01:48 2023][6940](login.c:104) working in router
[6][Mon Jan 23 16:01:48 2023][6940](control.c:653) connect server [192.168.2.2:7000]...
[7][Mon Jan 23 16:01:48 2023][6940](control.c:615) xfrp server connected
[7][Mon Jan 23 16:01:48 2023][6940](control.c:690) send plain msg ----> [o: { "version": "0.43.0", "hostname": "", "os": "Linux", "arch": "mips", "user": "", "privilege_key": "0f35985cc07ead44460f1a54f37ce1de", "timestamp": 1674460908, "run_id": "747D245360CD", "pool_count": 1, "metas": null }]
[7][Mon Jan 23 16:01:48 2023][6940](control.c:627) start keep_control_alive
[7][Mon Jan 23 16:01:48 2023][6940](login.c:129) xfrp login response: run_id: [747D245360CD], version: [0.45.0]
[3][Mon Jan 23 16:01:48 2023][6940](control.c:445) login success! login_len 67 len 76 ilen 0
[7][Mon Jan 23 16:01:48 2023][6940](control.c:317) recv eas1238 iv data
[6][Mon Jan 23 16:01:48 2023][6940](control.c:159) Start xfrp proxy services ...
[7][Mon Jan 23 16:01:48 2023][6940](control.c:790) control proxy client: [Type 112 : proxy_name Router-747d245360cd : msg_len 279]
[7][Mon Jan 23 16:01:48 2023][6940](control.c:128) new client through tcp mux: 5
[7][Mon Jan 23 16:01:48 2023][6940](control.c:690) send plain msg ----> [w: { "run_id": "747D245360CD" }]

.........

[7][Mon Jan 23 16:08:46 2023][6997](client.c:182) free client 103
[7][Mon Jan 23 16:08:46 2023][6997](control.c:398) proxy service [Router-747d245360cd] [(null):80] start work connection. remain data length 0
[7][Mon Jan 23 16:08:46 2023][6997](client.c:137) proxy server [192.168.2.2:-1] <---> client [127.0.0.1:80]
[7][Mon Jan 23 16:08:46 2023][6997](client.c:78) what [128] client [105] connected : Operation now in progress
[7][Mon Jan 23 16:08:46 2023][6997](control.c:128) new client through tcp mux: 113
[7][Mon Jan 23 16:08:46 2023][6997](control.c:690) send plain msg ----> [w: { "run_id": "747D245360CD" }]
[7][Mon Jan 23 16:08:46 2023][6997](control.c:128) new client through tcp mux: 115
[7][Mon Jan 23 16:08:46 2023][6997](control.c:690) send plain msg ----> [w: { "run_id": "747D245360CD" }]
[7][Mon Jan 23 16:08:46 2023][6997](control.c:398) proxy service [Router-747d245360cd] [(null):80] start work connection. remain data length 0
[7][Mon Jan 23 16:08:46 2023][6997](client.c:137) proxy server [192.168.2.2:-1] <---> client [127.0.0.1:80]
[7][Mon Jan 23 16:08:46 2023][6997](client.c:78) what [128] client [107] connected : Operation now in progress
[7][Mon Jan 23 16:08:46 2023][6997](client.c:72) xfrpc proxy close connect server [(null):80] stream_id 107: Operation now in progress
[7][Mon Jan 23 16:08:46 2023][6997](tcpmux.c:266) free stream 107
[7][Mon Jan 23 16:08:46 2023][6997](client.c:182) free client 107
[7][Mon Jan 23 16:08:46 2023][6997](client.c:72) xfrpc proxy close connect server [(null):80] stream_id 105: Operation now in progress
[7][Mon Jan 23 16:08:46 2023][6997](tcpmux.c:266) free stream 105
[7][Mon Jan 23 16:08:46 2023][6997](client.c:182) free client 105
Segmentation fault

JimLee1996 · Answer 1 · Tue Jan 24 2023 18:03:07 GMT+0800 (China Standard Time)

gdb debug info

Starting program: /home/jim/src/router/xfrpc/build/xfrpc -c frpc.ini -f
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[6][Tue Jan 24 18:02:54 2023][3500368](control.c:653) connect server [frp.h1b.top:7000]...
[3][Tue Jan 24 18:02:54 2023][3500368](control.c:445) login success! login_len 67 len 76 ilen 0
[6][Tue Jan 24 18:02:54 2023][3500368](control.c:159) Start xfrp proxy services ...

Program received signal SIGSEGV, Segmentation fault.
0x000055555556a3c9 in incr_send_window (bev=0x0, tmux_hdr=0x555555581160 <tmux_hdr>, flags=4, stream=0x5555556996c0) at /home/jim/src/router/xfrpc/tcpmux.c:371
371             if (stream->send_window == 0) bufferevent_enable(bev, EV_READ);

staylightblow8 · Answer 2 · Tue Jan 31 2023 10:10:30 GMT+0800 (China Standard Time)

@JimLee1996
It seems because bev object is already free. I thought I had already fixed this bug.
In this case, in my opinion, there should be a check not only on whether stream is NULL or not, but also on bev.

JimLee1996 · Answer 3 · Tue Jan 31 2023 10:19:41 GMT+0800 (China Standard Time)

I reproduce this bug by insert

printf("%p\n", stream);
printf("%d\n", stream->id); # segfault

between this two lines
It seems to be relevant to stream pointing to an invalid address.

Also, it is better to check bev at the same time.

staylightblow8 · Answer 4 · Tue Jan 31 2023 10:53:26 GMT+0800 (China Standard Time)

@JimLee1996 very good