Opened 10 years ago

Closed 10 years ago

Last modified 8 years ago

#1217 closed Bug (fixed)

shttpd crash in decide_what_to_do()

Reported by: Stealth Owned by: charles
Priority: Normal Milestone: 1.40
Component: libtransmission Version: 1.33
Severity: Major Keywords:
Cc:

Description

So nothing interesting in log:

stealth@flagship:~ $ transmission-daemon -f                     
Transmission 1.33 (6608) started
Searching for web interface file "/home/stealth/.local/share/transmission/web/javascript/transmission.js"
Searching for web interface file "/usr/local/share//transmission/web/javascript/transmission.js"
Serving the web interface files from "/usr/local/share//transmission/web"
Port Forwarding: Opened port 51413 to listen for incoming peer connections
Segmentation fault (core dumped)

It segfaults when I try to open "http://localhost:9091/" :/

http://forum.transmissionbt.com/viewtopic.php?f=2&t=5704 <- discussion about this bug, and yes.. seems the problem is in shttpd

Attachments (2)

0001-Move-path-on-to-the-heap.patch (2.4 KB) - added by muks 10 years ago.
Patch which may fix this issue. Please try it.
uri-heap.2.diff (4.6 KB) - added by charles 10 years ago.
updated patch for (1) shttpd 1.42 and (2) to add the same behavior to log.c.

Download all attachments as: .zip

Change History (16)

comment:1 Changed 10 years ago by Stealth

  • Component changed from Transmission to Daemon
  • Owner set to charles

comment:2 Changed 10 years ago by charles

  • Status changed from new to assigned

backtrace of crash from a debug build:


Thread 1 (process 15152, thread 0x818b2400):
#0  0x1c0325e8 in decide_what_to_do (c=Cannot access memory at address 0x8194578c
) at shttpd.c:532
#1  0x1c033196 in parse_http_request (c=0x7f474000) at shttpd.c:746
#2  0x1c033d00 in process_connection (c=0x7f474000, remote_ready=524288, local_ready=0) at shttpd.c:1064
#3  0x1c034247 in process_worker_sockets (worker=0x7c5916c0, read_set=0x81955de0) at shttpd.c:1228
#4  0x1c034483 in shttpd_poll (ctx=0x8880f500, milliseconds=1) at shttpd.c:1281
#5  0x1c026802 in rpcPulse (socket=-1, action=1, vserver=0x81877c00) at rpc-server.c:323
#6  0x1c03d740 in event_process_active ()
#7  0x1c03d9b1 in event_base_loop ()
#8  0x1c03d870 in event_loop ()
#9  0x1c03d799 in event_dispatch ()
#10 0x1c012ce1 in libeventThreadFunc (veh=0x81877380) at trevent.c:152
#11 0x1c0089b2 in ThreadFunc (_t=0x87e0b080) at platform.c:122
#12 0x065ca2a7 in _thread_start () at /usr/src/lib/libpthread/uthread/uthread_create.c:244
#13 0x0000001f in ?? ()
#14 0x00000000 in ?? ()

comment:3 Changed 10 years ago by charles

  • Summary changed from transmission-daemon coredumps on OpenBSD to shttpd crash in decide_what_to_do()

comment:4 Changed 10 years ago by charles

  • Component changed from Daemon to libtransmission

Changed 10 years ago by muks

Patch which may fix this issue. Please try it.

comment:5 Changed 10 years ago by muks

The crash happens probably because OpenBSD's default thread stack size is 64KB and decide_what_to_do() allocates path[65536] as an auto variable.

comment:6 Changed 10 years ago by charles

Stealth: could you please test out a nightly build of r6645 or higher? I've upgraded Transmission's copy of shttpd to version 1.42.

comment:7 Changed 10 years ago by charles

I'm the one who increased the size of URI_MAX. It's also used for chunking incoming messages and responses, so I raised it to reduce the number of calls it took to send out very long JSON responses.

URI_MAX is 16384 by default in shttpd 1.42.

I notice URI_MAX is also used on the stack in the log function. Attached is a patch which includes muks' shttpd.c match and does the same for log.c. It also avoids the strftime/malloc/free calls in log if the message isn't going to be written out.

Changed 10 years ago by charles

updated patch for (1) shttpd 1.42 and (2) to add the same behavior to log.c.

comment:9 Changed 10 years ago by charles

patch applied locally in r6646

comment:10 Changed 10 years ago by Stealth

Weeeee, it works!

comment:11 Changed 10 years ago by charles

Reported fixed by user Enqlave in the #transmission IRC channel. :)

comment:12 Changed 10 years ago by smmalis

  • Resolution set to fixed
  • Status changed from assigned to closed

Seeing as this has been reported fixed...

comment:13 Changed 9 years ago by charles

  • Severity changed from Normal to Major

comment:14 Changed 8 years ago by sim

decoration Changed 1 year ago by admin

bathtub Changed 1 year ago by admin

solar system Changed 1 year ago by admin

stair parts Changed 1 year ago by admin

solar supply Changed 1 year ago by admin

Version 0, edited 8 years ago by sim (next)
Note: See TracTickets for help on using tickets.