-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix SIGSEGV at RTC::WebRtcTransport::OnIceServerTupleRemoved() #915
Conversation
- Fixes #883 ### Details - `IceServer` manages a list of `TransportTuples` instances in a `std::list`. Those are **not** pointers. - When `IceServer` removes a tuple from the list (for different reasons), it removes it from its `std::list`, which means that the removed `TransportTuple` is **freed**. And then it notifies `WebRtcTransport` via `this->listener->OnIceServerTupleRemoved(this, removedTuple);`. Problem was thta `WebRtcTransport` reads tuple data (`tuple->GetProtocol()` etc) so it's doing that in an already freed memory!, so crash. - Solution is to first notify the listener (`WebRtcTransport`) then remove it from the list (so free it after used).
Apart from a range loop change suggestion, 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ibc,
I find this cleaner:
diff --git a/worker/src/RTC/IceServer.cpp b/worker/src/RTC/IceServer.cpp
index 27db36344..5962a4516 100644
--- a/worker/src/RTC/IceServer.cpp
+++ b/worker/src/RTC/IceServer.cpp
@@ -294,6 +294,8 @@ namespace RTC
if (!removedTuple)
return;
+ // Notify the listener.
+ this->listener->OnIceServerTupleRemoved(this, removedTuple);
// Remove it from the list of tuples.
this->tuples.erase(it);
@@ -316,9 +318,6 @@ namespace RTC
this->listener->OnIceServerDisconnected(this);
}
}
-
- // Notify the listener.
- this->listener->OnIceServerTupleRemoved(this, removedTuple);
}
void IceServer::ForceSelectedTuple(const RTC::TransportTuple* tuple)
We first notify the listener about the removed tuple, then tell it about the new selected one or about the disconnection. This flow seems more logical to me.
Agreed. Please @jmillan review again. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
…tica#915) - Fixes versatica#883 - `IceServer` manages a list of `TransportTuples` instances in a `std::list`. Those are **not** pointers. - When `IceServer` removes a tuple from the list (for different reasons), it removes it from its `std::list`, which means that the removed `TransportTuple` is **freed**. And then it notifies `WebRtcTransport` via `this->listener->OnIceServerTupleRemoved(this, removedTuple);`. Problem was that `WebRtcTransport` reads tuple data (`tuple->GetProtocol()` etc) so it's doing that in an already freed memory!, so crash. - Solution is to first notify the listener (`WebRtcTransport`) then remove it from the list (so free it after used).
Details
As @ybybwdwd said in in #883 (comment):
IceServer
manages a list ofTransportTuples
instances in astd::list
. Those are not pointers.IceServer
removes a tuple from the list (for different reasons), it removes it from itsstd::list
, which means that the removedTransportTuple
is freed. And then it notifiesWebRtcTransport
viathis->listener->OnIceServerTupleRemoved(this, removedTuple);
.WebRtcTransport
reads tuple data (tuple->GetProtocol()
etc) within itsOnIceServerTupleRemoved()
method, so it's reading freed memory!, so crash.Solution is to first notify the listener (
WebRtcTransport
) then remove it from the list (so free it after used).