Opened 8 years ago

Closed 8 years ago

Last modified 6 years ago

#1217 closed Bug (fixed)

shttpd crash in decide_what_to_do()

Reported by: Stealth Owned by: charles
Priority: Normal Milestone: 1.40
Component: libtransmission Version: 1.33
Severity: Major Keywords:
Cc:

Description

So nothing interesting in log:

stealth@flagship:~ $ transmission-daemon -f                     
Transmission 1.33 (6608) started
Searching for web interface file "/home/stealth/.local/share/transmission/web/javascript/transmission.js"
Searching for web interface file "/usr/local/share//transmission/web/javascript/transmission.js"
Serving the web interface files from "/usr/local/share//transmission/web"
Port Forwarding: Opened port 51413 to listen for incoming peer connections
Segmentation fault (core dumped)

It segfaults when I try to open "http://localhost:9091/" :/

http://forum.transmissionbt.com/viewtopic.php?f=2&t=5704 <- discussion about this bug, and yes.. seems the problem is in shttpd

Attachments (2)

0001-Move-path-on-to-the-heap.patch (2.4 KB) - added by muks 8 years ago.
Patch which may fix this issue. Please try it.
uri-heap.2.diff (4.6 KB) - added by charles 8 years ago.
updated patch for (1) shttpd 1.42 and (2) to add the same behavior to log.c.

Download all attachments as: .zip

Change History (16)

comment:1 Changed 8 years ago by Stealth

  • Component changed from Transmission to Daemon
  • Owner set to charles

comment:2 Changed 8 years ago by charles

  • Status changed from new to assigned

backtrace of crash from a debug build:


Thread 1 (process 15152, thread 0x818b2400):
#0  0x1c0325e8 in decide_what_to_do (c=Cannot access memory at address 0x8194578c
) at shttpd.c:532
#1  0x1c033196 in parse_http_request (c=0x7f474000) at shttpd.c:746
#2  0x1c033d00 in process_connection (c=0x7f474000, remote_ready=524288, local_ready=0) at shttpd.c:1064
#3  0x1c034247 in process_worker_sockets (worker=0x7c5916c0, read_set=0x81955de0) at shttpd.c:1228
#4  0x1c034483 in shttpd_poll (ctx=0x8880f500, milliseconds=1) at shttpd.c:1281
#5  0x1c026802 in rpcPulse (socket=-1, action=1, vserver=0x81877c00) at rpc-server.c:323
#6  0x1c03d740 in event_process_active ()
#7  0x1c03d9b1 in event_base_loop ()
#8  0x1c03d870 in event_loop ()
#9  0x1c03d799 in event_dispatch ()
#10 0x1c012ce1 in libeventThreadFunc (veh=0x81877380) at trevent.c:152
#11 0x1c0089b2 in ThreadFunc (_t=0x87e0b080) at platform.c:122
#12 0x065ca2a7 in _thread_start () at /usr/src/lib/libpthread/uthread/uthread_create.c:244
#13 0x0000001f in ?? ()
#14 0x00000000 in ?? ()

comment:3 Changed 8 years ago by charles

  • Summary changed from transmission-daemon coredumps on OpenBSD to shttpd crash in decide_what_to_do()

comment:4 Changed 8 years ago by charles

  • Component changed from Daemon to libtransmission

Changed 8 years ago by muks

Patch which may fix this issue. Please try it.

comment:5 Changed 8 years ago by muks

The crash happens probably because OpenBSD's default thread stack size is 64KB and decide_what_to_do() allocates path[65536] as an auto variable.

comment:6 Changed 8 years ago by charles

Stealth: could you please test out a nightly build of r6645 or higher? I've upgraded Transmission's copy of shttpd to version 1.42.

comment:7 Changed 8 years ago by charles

I'm the one who increased the size of URI_MAX. It's also used for chunking incoming messages and responses, so I raised it to reduce the number of calls it took to send out very long JSON responses.

URI_MAX is 16384 by default in shttpd 1.42.

I notice URI_MAX is also used on the stack in the log function. Attached is a patch which includes muks' shttpd.c match and does the same for log.c. It also avoids the strftime/malloc/free calls in log if the message isn't going to be written out.

Changed 8 years ago by charles

updated patch for (1) shttpd 1.42 and (2) to add the same behavior to log.c.

comment:9 Changed 8 years ago by charles

patch applied locally in r6646

comment:10 Changed 8 years ago by Stealth

Weeeee, it works!

comment:11 Changed 8 years ago by charles

Reported fixed by user Enqlave in the #transmission IRC channel. :)

comment:12 Changed 8 years ago by smmalis

  • Resolution set to fixed
  • Status changed from assigned to closed

Seeing as this has been reported fixed...

comment:13 Changed 8 years ago by charles

  • Severity changed from Normal to Major

comment:14 Changed 6 years ago by sim

decoration Changed 1 year ago by admin

bathtub Changed 1 year ago by admin

solar system Changed 1 year ago by admin

stair parts Changed 1 year ago by admin

solar supply Changed 1 year ago by admin

Version 0, edited 6 years ago by sim (next)
Note: See TracTickets for help on using tickets.