Giters

ossrs / srs

SRS is a simple, high-efficiency, real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181.

Home Page:https://ossrs.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

KERNEL: Crash at HTTP fast buffer grow

winlinvip opened this issue · comments

commented 
#4  0x000000000045d314 in SrsFastBuffer::grow (this=0x24854e0, reader=0x7f9686104bd0, required_size=131073) at src/protocol/srs_protocol_buffer.cpp:165
#5  0x00000000004e97b0 in SrsHttpParser::parse_message_imp (this=0x23faac0, skt=0x7f9686104bd0) at src/app/srs_app_http_conn.cpp:984
#6  0x00000000004e937c in SrsHttpParser::parse_message (this=0x23faac0, skt=0x7f9686104bd0, conn=0x22813a0, ppmsg=0x7f9686104c30)
    at src/app/srs_app_http_conn.cpp:927
#7  0x00000000004eae5e in SrsHttpConn::do_cycle (this=0x22813a0) at src/app/srs_app_http_conn.cpp:1255
#8  0x000000000047958a in SrsConnection::cycle (this=0x22813a0) at src/app/srs_app_conn.cpp:89
#9  0x00000000004acdc5 in SrsOneCycleThread::cycle (this=0x24856d0) at src/app/srs_app_thread.cpp:372
#10 0x00000000004ac51d in internal::SrsThread::thread_cycle (this=0x24957a0) at src/app/srs_app_thread.cpp:207
#11 0x00000000004ac730 in internal::SrsThread::thread_fun (arg=0x24957a0) at src/app/srs_app_thread.cpp:245
#12 0x0000000000526bf6 in _st_thread_main () at sched.c:327
commented

It seems that a request without a length was POSTed.

POST ch1 HTTP/1.1\r\n
Content-Type: application/flv-pushsetup\r\n
X-Accept-Authentication: Negotiate, NTLM, Digest\r\n
Accept: */*\r\n
User-Agent: WMEncoder/10.0.0.3802\r\n
Host: ossrs.net:8080\r\n
Connection: Keep-Alive\r\n
Cookie: push-id=0\r\n
Authorization:BASIC YWRtaW46MDAwMDA=\r\n\r\n

FLV\001\005

The HTTP header is only 263 bytes, and the rest is FLV data.

(gdb) p p+263
$25 = 0x237ee27 "FLV\001\005"

The buffer has been filled.

(gdb) p /x (int64_t)buffer
$9 = 0x237ed20
(gdb) p /x (int64_t)p     
$10 = 0x237ed20
(gdb) p /x (int64_t)end
$11 = 0x239ed20
(gdb) p end-p
$12 = 131072
(gdb) p nb_buffer
$13 = 131072

At this point, the buffer and P are at the same position, which means the buffer has not been consumed and is directly filled with data until it is full.

The characteristic of FastBuffer is that it can only hold 128KB, and if it becomes full, it will assert an error.

// the default recv buffer size, 128KB.
#define SRS_DEFAULT_RECV_BUFFER_SIZE 131072

The Buffer will only be reallocated when set_buffer is called.

Therefore, when the buffer is filled, it should return an error instead of asserting directly.

TRANS_BY_GPT3

commented

The problem lies in using assert directly when moving memory, while the if statement is only evaluated later. Therefore, memory should only be moved if it is possible to do so. If there is not enough space, the memory can be directly not moved, and it will fail later when checking for insufficient space.

TRANS_BY_GPT3