mediasoup v2: Crash when RtpStreamSend::StorePacket receives an oldest packet, yet no buffer space left to store it.

27 views
Skip to first unread message

zkfun

unread,
Dec 19, 2019, 7:20:10 AM12/19/19
to mediasoup
// The packet was older than anything in the buffer, store it at the
// beginning.
if (bufferItReverse == this->buffer.rend())
{
// the begin It is replaced by "bufferItem"
newBufferIt = this->buffer.insert(this->buffer.begin(), bufferItem);
}

...

// If the buffer is not full use the next free storage item.
if (this->buffer.size() - 1 < this->storage.size())
{
store = this->storage[this->buffer.size() - 1].store;
}
// Otherwise remove the first packet of the buffer and replace its storage
// area.
else
{

auto &firstBufferItem = *(this->buffer.begin());
auto firstPacket = firstBufferItem.packet;

// Store points to the store used by the first packet.
store = const_cast<uint8_t *>(firstPacket->GetData());
// Free the first packet.
delete firstPacket;
// Remove the first element in the list.
this->buffer.pop_front();
}

zkfun

unread,
Dec 19, 2019, 7:28:14 AM12/19/19
to mediasoup

 if the storing packet is an oldest packet, and yet this->buffer is full. then auto &firstBufferItem = *(this->buffer.begin()) will be the bufferItem that just been store at the begin of this.buffer. In that case, firstBufferItem.packet is a nullptr. 
在 2019年12月19日星期四 UTC+8下午8:20:10,zkfun写道:

zkfun

unread,
Dec 19, 2019, 7:29:31 AM12/19/19
to mediasoup
mediasoup-worker's stderr: ASAN:DEADLYSIGNAL
mediasoup-worker's stderr: =================================================================
mediasoup-worker's stderr: ==18==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x556e9d1a5b21 bp 0x7ffc98d83df0 sp 0x7ffc98d83de0 T0)
mediasoup-worker's stderr:     #0 0x556e9d1a5b20 in RTC::RtpPacket::GetData() const ../include/RTC/RtpPacket.hpp:169
mediasoup-worker's stderr:     #1 0x556e9d23d92e in RTC::RtpStreamSend::StorePacket(RTC::RtpPacket*) ../src/RTC/RtpStreamSend.cpp:384
mediasoup-worker's stderr:     #2 0x556e9d23a3e0 in RTC::RtpStreamSend::ReceivePacket(RTC::RtpPacket*) ../src/RTC/RtpStreamSend.cpp:64
mediasoup-worker's stderr:     #3 0x556e9d24b1b8 in RTC::SimulcastConsumer::SendRtpPacket(RTC::RtpPacket*, RTC::RtpEncodingParameters::Profile) ../src/RTC/SimulcastConsumer.cpp:552
mediasoup-worker's stderr:     #4 0x556e9d24fb5d in RTC::SimulcastConsumer::ProcessRtpPacket(RTC::RtpPacket*, RTC::RtpEncodingParameters::Profile) ../src/RTC/SimulcastConsumer.cpp:1191
mediasoup-worker's stderr:     #5 0x556e9d1fb038 in RTC::Router::OnProducerRtpPacket(RTC::Producer*, RTC::RtpPacket*, RTC::RtpEncodingParameters::Profile) ../src/RTC/Router.cpp:1800
mediasoup-worker's stderr:     #6 0x556e9d1d8b78 in RTC::Producer::ReceiveRtpPacket(RTC::RtpPacket*) ../src/RTC/Producer.cpp:322
mediasoup-worker's stderr:     #7 0x556e9d2880b5 in RTC::WebRtcTransport::OnRtpDataRecv(RTC::TransportTuple*, unsigned char const*, unsigned long) ../src/RTC/WebRtcTransport.cpp:702
mediasoup-worker's stderr:     #8 0x556e9d286bc3 in RTC::WebRtcTransport::OnPacketRecv(RTC::TransportTuple*, unsigned char const*, unsigned long) ../src/RTC/WebRtcTransport.cpp:531
mediasoup-worker's stderr:     #9 0x556e9d2823cd in RTC::WebRtcTransport::OnPacketRecv(RTC::UdpSocket*, unsigned char const*, unsigned long, sockaddr const*) ../src/RTC/WebRtcTransport.cpp:772
mediasoup-worker's stderr:     #10 0x556e9d28beec in RTC::TransportProxy::OnPacketRecv(RTC::UdpSocket*, unsigned char const*, unsigned long, sockaddr const*) ../src/RTC/TransportProxy.cpp:133
mediasoup-worker's stderr:     #11 0x556e9d270550 in RTC::UdpSocket::UserOnUdpDatagramRecv(unsigned char const*, unsigned long, sockaddr const*) ../src/RTC/UdpSocket.cpp:289
mediasoup-worker's stderr:     #12 0x556e9d34491f in UdpSocket::OnUvRecv(long, uv_buf_t const*, sockaddr const*, unsigned int) ../src/handles/UdpSocket.cpp:348
mediasoup-worker's stderr:     #13 0x556e9d341b73 in onRecv ../src/handles/UdpSocket.cpp:24
mediasoup-worker's stderr:     #14 0x556e9d37ef3b in uv__udp_recvmsg ../deps/libuv/src/unix/udp.c:205
mediasoup-worker's stderr:     #15 0x556e9d37ec81 in uv__udp_io ../deps/libuv/src/unix/udp.c:142
mediasoup-worker's stderr:     #16 0x556e9d380dd0 in uv__io_poll ../deps/libuv/src/unix/linux-core.c:400
mediasoup-worker's stderr:     #17 0x556e9d371f46 in uv_run ../deps/libuv/src/unix/core.c:362
mediasoup-worker's stderr:     #18 0x556e9d1513c2 in DepLibUV::RunLoop() ../src/DepLibUV.cpp:49
mediasoup-worker's stderr:     #19 0x556e9d163dbb in Worker::Worker(Channel::UnixStreamSocket*) ../src/Worker.cpp:34
mediasoup-worker's stderr:     #20 0x556e9d347198 in main ../src/main.cpp:95
mediasoup-worker's stderr:     #21 0x7fb18ea742e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
mediasoup-worker's stderr:     #22 0x556e9d14fba9 in _start (/root/msms/worker/out/Debug/mediasoup-worker+0x90ba9)
mediasoup-worker's stderr: AddressSanitizer can not provide additional info.
mediasoup-worker's stderr: SUMMARY: AddressSanitizer: SEGV ../include/RTC/RtpPacket.hpp:169 in RTC::RtpPacket::GetData() const
mediasoup-worker's stderr: ==18==ABORTING



在 2019年12月19日星期四 UTC+8下午8:20:10,zkfun写道:
// The packet was older than anything in the buffer, store it at the

zkfun

unread,
Dec 19, 2019, 7:32:45 AM12/19/19
to mediasoup
// The packet was older than anything in the buffer, store it at the
// beginning.
if (bufferItReverse == this->buffer.rend())
{
// special case: receive an oldest packet and yet no buffer space to store it.
if(this->buffer.size() == this->storage.size())
{
return;
}
newBufferIt = this->buffer.insert(this->buffer.begin(), bufferItem);
}


I think drop it will be fine since it is the oldest one.

在 2019年12月19日星期四 UTC+8下午8:29:31,zkfun写道:

Iñaki Baz Castillo

unread,
Dec 19, 2019, 7:52:57 AM12/19/19
to medi...@googlegroups.com
Can you please report the issue in GitHub? This mailing list is deprecated.
> --
> mediasoup
> Cutting Edge WebRTC Video Conferencing
>
> https://mediasoup.org
>
> NOTE: This group is deprecated. Use the mediasoup Discourse Group instead:
>
> https://mediasoup.discourse.group
> ---
> You received this message because you are subscribed to the Google Groups "mediasoup" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to mediasoup+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/mediasoup/7dcde3a2-f1bd-4cfe-ba7e-7f206e6005b8%40googlegroups.com.



--
Iñaki Baz Castillo
<i...@aliax.net>

Iñaki Baz Castillo

unread,
Dec 19, 2019, 8:17:11 AM12/19/19
to medi...@googlegroups.com
BTW I've commited this into v2:

https://github.com/versatica/mediasoup/commit/81c7cc9ed7764ebfc72f1b1cb97d31108fb4a559

Please, report the issue in GitHub and let me know there whether such
a commit looks good. If so I'll release a new v2 version.

BTW I assume this bug cannot happen in v3 since the RTP storage system
is completely different.

Thanks!

zkfun

unread,
Dec 19, 2019, 8:51:27 PM12/19/19
to mediasoup
https://github.com/versatica/mediasoup/issues/new?labels=bug&template=Bug_Report.md says I should report here, anyway, this commit looks good to me and is exactly what we do to fix this bug.

在 2019年12月19日星期四 UTC+8下午9:17:11,Iñaki Baz Castillo写道:
> > To unsubscribe from this group and stop receiving emails from it, send an email to medi...@googlegroups.com.

Iñaki Baz Castillo

unread,
Dec 19, 2019, 9:15:53 PM12/19/19
to medi...@googlegroups.com
Well, Bug_Report.md tries to send that you should just use GitHub
issues for bugs, and your was a bug :)

Anyway it was wrong since the support site is no longer a mailing list
but the new mediasoup Discourse Group. I've fixed it.

I've released mediasoup v2.6.19 with the fix:

* `RtpStreamSend.cpp`: Fix a crash in `StorePacket()` when it receives
an old packet and there is no space left in the storage buffer (thanks
to zkfun for reporting it and providing us with the solution).
* Update deps.

Thanks!
> To unsubscribe from this group and stop receiving emails from it, send an email to mediasoup+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/mediasoup/b49de4ed-decd-44d6-abcd-ef551aa399ea%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages