Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix SIGSEGV at RTC::WebRtcTransport::OnIceServerTupleRemoved() #915

Merged
merged 5 commits into from
Sep 29, 2022
Merged

Conversation

ibc
Copy link
Member

@ibc ibc commented Sep 29, 2022

Details

As @ybybwdwd said in in #883 (comment):

  • IceServer manages a list of TransportTuples instances in a std::list. Those are not pointers.
  • When IceServer removes a tuple from the list (for different reasons), it removes it from its std::list, which means that the removed TransportTuple is freed. And then it notifies WebRtcTransport via this->listener->OnIceServerTupleRemoved(this, removedTuple);.
  • Problem was that WebRtcTransport reads tuple data (tuple->GetProtocol() etc) within its OnIceServerTupleRemoved() method, so it's reading freed memory!, so crash.

Solution is to first notify the listener (WebRtcTransport) then remove it from the list (so free it after used).

- Fixes #883

### Details

- `IceServer` manages a list of `TransportTuples` instances in a `std::list`. Those are **not** pointers.
- When `IceServer` removes a tuple from the list (for different reasons), it removes it from its `std::list`, which means that the removed `TransportTuple` is **freed**. And then it notifies `WebRtcTransport` via `this->listener->OnIceServerTupleRemoved(this, removedTuple);`. Problem was thta `WebRtcTransport` reads tuple data (`tuple->GetProtocol()` etc) so it's doing that in an already freed memory!, so crash.
- Solution is to first notify the listener (`WebRtcTransport`) then remove it from the list (so free it after used).
@jmillan
Copy link
Member

jmillan commented Sep 29, 2022

Apart from a range loop change suggestion, 👍

Copy link
Member

@jmillan jmillan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ibc,

I find this cleaner:

diff --git a/worker/src/RTC/IceServer.cpp b/worker/src/RTC/IceServer.cpp
index 27db36344..5962a4516 100644
--- a/worker/src/RTC/IceServer.cpp
+++ b/worker/src/RTC/IceServer.cpp
@@ -294,6 +294,8 @@ namespace RTC
                if (!removedTuple)
                        return;

+               // Notify the listener.
+               this->listener->OnIceServerTupleRemoved(this, removedTuple);
                // Remove it from the list of tuples.
                this->tuples.erase(it);

@@ -316,9 +318,6 @@ namespace RTC
                                this->listener->OnIceServerDisconnected(this);
                        }
                }
-
-               // Notify the listener.
-               this->listener->OnIceServerTupleRemoved(this, removedTuple);
        }

        void IceServer::ForceSelectedTuple(const RTC::TransportTuple* tuple)

We first notify the listener about the removed tuple, then tell it about the new selected one or about the disconnection. This flow seems more logical to me.

@ibc
Copy link
Member Author

ibc commented Sep 29, 2022

Agreed. Please @jmillan review again.

@ibc ibc requested a review from jmillan September 29, 2022 15:22
Copy link
Member

@jmillan jmillan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@ibc ibc merged commit bd1b434 into v3 Sep 29, 2022
@ibc ibc deleted the fix-issue-883 branch September 29, 2022 15:38
piranna pushed a commit to dyte-in/mediasoup that referenced this pull request Feb 9, 2023
…tica#915)

- Fixes versatica#883
- `IceServer` manages a list of `TransportTuples` instances in a `std::list`. Those are **not** pointers.
- When `IceServer` removes a tuple from the list (for different reasons), it removes it from its `std::list`, which means that the removed `TransportTuple` is **freed**. And then it notifies `WebRtcTransport` via `this->listener->OnIceServerTupleRemoved(this, removedTuple);`. Problem was that `WebRtcTransport` reads tuple data (`tuple->GetProtocol()` etc) so it's doing that in an already freed memory!, so crash.
- Solution is to first notify the listener (`WebRtcTransport`) then remove it from the list (so free it after used).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

SIGSEGV at 'RTC::WebRtcTransport::OnIceServerTupleRemoved'
2 participants