Crash in PLT_HttpServerSocketTask (SONOS and XBMC Incompatibilty)
tzczt
Newbie
Posts: 4
#1
2012-05-20, 22:42
The crash appears pretty randomly. I pulled the latest from git, built it in debug mode and ran it from gdb until it crashed.

Backtrace:

#0 operator= (object=0x0, this=0xac64c1e4) at Neptune/Source/Core/NptHttp.cpp:2378
#1 NPT_HttpEntity::GetInputStream (this=0x0, stream=...) at Neptune/Source/Core/NptHttp.cpp:372
#2 0x0872f060 in PLT_HttpServerSocketTask::Write (this=0x0, response=0x0, keep_alive=@0xac64c25b: true, headers_only=false)
at Platinum/Source/Core/PltHttpServerTask.cpp:289
#3 0x0872eb4b in PLT_HttpServerSocketTask:Big GrinoRun (this=0xac35f90) at Platinum/Source/Core/PltHttpServerTask.cpp:107
#4 0x0873a460 in PLT_ThreadTask::Run (this=0xac35f90) at Platinum/Source/Core/PltThreadTask.cpp:138
#5 0x0876a6a2 in NPT_PosixThread::Run (this=0xb25b918) at Neptune/Source/System/Posix/NptPosixThreads.cpp:514
#6 0x0876afff in NPT_PosixThread::EntryPoint (argument=0xb25b918) at Neptune/Source/System/Posix/NptPosixThreads.cpp:445
#7 0xb73f5d4c in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#8 0xb66c1ace in clone () from /lib/i386-linux-gnu/libc.so.6

The "this" pointer is null in frames 0,1,2 so it must have been corrupted in frame 3.

From frame 3 , we have these locals:

request = 0x919b990
response = 0xbdd6f30
buffered_input_stream = {m_Object = 0xbf8c4b0, m_Counter = 0xa466370}
context = {m_LocalAddress = {m_IpAddress = {static Any = {static Any = <same as static member of an already seen type>, m_Address = "\000\000\000"},
m_Address = "\300\250\001f"}, m_Port = 61777}, m_RemoteAddress = {m_IpAddress = {static Any = {
static Any = <same as static member of an already seen type>, m_Address = "\000\000\000"}, m_Address = "\300\250\001d"}, m_Port = 64209}}
res = <optimized out>
headers_only = <optimized out>
keep_alive = true
input_stream = {m_Object = 0xb281de0, m_Counter = 0xaf3dc20}


From the request headers, it appears to be crashing upon a request from the Sonos software running on my Macbook:

$11 = {m_Name = {m_Chars = 0xa9ee178 "HOST", static EmptyString = 0 '\000'}, m_Value = {m_Chars = 0xac13d30 "192.168.1.102:61777",
static EmptyString = 0 '\000'}}
(gdb) print *(request->m_Headers.m_Headers.m_Head->m_Next->m_Data)
$12 = {m_Name = {m_Chars = 0xaef3928 "USER-AGENT", static EmptyString = 0 '\000'}, m_Value = {
m_Chars = 0xb26ab58 "Linux UPnP/1.0 Sonos/17.5-51200g (MDCR_MacBookPro8,1)", static EmptyString = 0 '\000'}}
(gdb) print *(request->m_Headers.m_Headers.m_Head->m_Next->m_Data)
$13 = {m_Name = {m_Chars = 0xaef3928 "USER-AGENT", static EmptyString = 0 '\000'}, m_Value = {
m_Chars = 0xb26ab58 "Linux UPnP/1.0 Sonos/17.5-51200g (MDCR_MacBookPro8,1)", static EmptyString = 0 '\000'}}
(gdb) print *(request->m_Headers.m_Headers.m_Head->m_Next->m_Next->m_Data)
$14 = {m_Name = {m_Chars = 0xada5100 "CALLBACK", static EmptyString = 0 '\000'}, m_Value = {m_Chars = 0xac9c700 "<http://192.168.1.100:0(null)>",
static EmptyString = 0 '\000'}}
(gdb) print *(request->m_Headers.m_Headers.m_Head->m_Next->m_Next->m_Next->m_Data)
$15 = {m_Name = {m_Chars = 0xa90c3f0 "NT", static EmptyString = 0 '\000'}, m_Value = {m_Chars = 0xb086328 "upnp:event", static EmptyString = 0 '\000'}}
(gdb) print *(request->m_Headers.m_Headers.m_Head->m_Next->m_Next->m_Next->m_Next->m_Data)
$16 = {m_Name = {m_Chars = 0xb205840 "TIMEOUT", static EmptyString = 0 '\000'}, m_Value = {m_Chars = 0xc0b20e8 "Second-0", static EmptyString = 0 '\000'}}
Find
Reply
tzczt
Newbie
Posts: 4
#2
2012-05-20, 23:20
Captured traffic that causes it. Connect to port 61777 of XBMC and send this:
Code:
SUBSCRIBE (null) HTTP/1.1
HOST: 192.168.1.102:61777
USER-AGENT: Linux UPnP/1.0 Sonos/17.5-51200g (MDCR_MacBookPro8,1)
CALLBACK: <http://192.168.1.100:0(null)>
NT: upnp:event
TIMEOUT: Second-0

XBMC will respond and immediately crash.
Find
Reply
tzczt
Newbie
Posts: 4
#3
2012-05-21, 04:34
The "this" pointer in the second stack frame was throwing me. The bug is caused by a failure to check for null on entity before dereferencing it.

Code:
diff --git a/lib/libUPnP/Platinum/Source/Core/PltHttpServerTask.cpp b/lib/libUPnP/Platinum/Source/Core/PltHttpServerTask.cpp
index 25df3d6..5ff2d07 100644
--- a/lib/libUPnP/Platinum/Source/Core/PltHttpServerTask.cpp
+++ b/lib/libUPnP/Platinum/Source/Core/PltHttpServerTask.cpp
@@ -286,7 +286,7 @@ PLT_HttpServerSocketTask::Write(NPT_HttpResponse* response,
     NPT_CHECK_WARNING(output_stream->WriteFully(header_stream.GetData(), header_stream.GetDataSize()));

     // send response body if any
-    if (!headers_only && NPT_SUCCEEDED(entity->GetInputStream(body_stream)) && !body_stream.IsNull()) {
+    if (!headers_only && entity && NPT_SUCCEEDED(entity->GetInputStream(body_stream)) && !body_stream.IsNull()) {
         NPT_CHECK_WARNING(NPT_StreamToStreamCopy(
             *body_stream.AsPointer(),
             *output_stream.AsPointer(),
Find
Reply
jmarshall
Team-XBMC Developer
Posts: 26,215
#4
2012-05-21, 08:46
Mind checking if this is fixed upstream? If not, I'm sure they'll be interested. XBMC should have an updated version of Platinum later in the year, so would be useful to check if it's fixed there first.

Cheers,
Jonathan
Always read the XBMC online-manual, FAQ and search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the forum rules.
For troubleshooting and bug reporting please make sure you read this first.

Image
Find
Reply
tzczt
Newbie
Posts: 4
#5
2012-05-22, 02:23
Submitted a topic to their forum regarding it. Looked at the code, and the issue appears to still be there.

https://sourceforge.net/projects/platinu...ic/5292228
Find
Reply

Home
Search
Help
Logout Mark Read Team Forum Stats Members Help
Crash in PLT_HttpServerSocketTask (SONOS and XBMC Incompatibilty)0