search

nanomq / NanoNNG

The NNG submodule of NanoMQ
MIT License
47 stars 19 forks source link

crash of QUIC on ref of conn_param #674

Closed JaylinYu closed 1 year ago

JaylinYu commented 1 year ago

There is an issue in the new QUIC transport. Conn_param reference number need to be re-caculated

wanghaEMQ commented 1 year ago

Still not fixed yet.

==612450==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000030050 at pc 0x5609031da44c bp 0x7febfe5e9b80 sp 0x7febfe5e9b70
WRITE of size 4 at 0x612000030050 thread T22
    #0 0x5609031da44b in nni_atomic_dec_nv /home/wangha/docu/nanomq/nng/src/platform/posix/posix_atomic.c:120
    #1 0x5609031fbc9a in conn_param_free /home/wangha/docu/nanomq/nng/src/sp/protocol/mqtt/mqtt_parser.c:860
    #2 0x5609032cbe50 in mqtt_quictran_pipe_fini /home/wangha/docu/nanomq/nng/src/mqtt/transport/quic/mqtt_quic.c:247
    #3 0x5609031c6faf in pipe_destroy /home/wangha/docu/nanomq/nng/src/core/pipe.c:86
    #4 0x5609031c8dad in reap_worker /home/wangha/docu/nanomq/nng/src/core/reap.c:58
    #5 0x5609031d4b7c in nni_thr_wrap /home/wangha/docu/nanomq/nng/src/core/thread.c:94
    #6 0x5609031ddd25 in nni_plat_thr_main /home/wangha/docu/nanomq/nng/src/platform/posix/posix_thread.c:266
    #7 0x7fec0c494b42 in start_thread nptl/pthread_create.c:442
    #8 0x7fec0c5269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x612000030050 is located 16 bytes inside of 264-byte region [0x612000030040,0x612000030148)
freed by thread T19 here:
    #0 0x7fec0ccb4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x5609031d93f3 in nni_free /home/wangha/docu/nanomq/nng/src/platform/posix/posix_alloc.c:33
    #2 0x5609031a731c in nng_free /home/wangha/docu/nanomq/nng/src/nng.c:78
    #3 0x5609031fc02a in conn_param_free /home/wangha/docu/nanomq/nng/src/sp/protocol/mqtt/mqtt_parser.c:875
    #4 0x56090319f278 in server_cb /home/wangha/docu/nanomq/nanomq/apps/broker.c:539
    #5 0x5609031d37c4 in nni_taskq_thread /home/wangha/docu/nanomq/nng/src/core/taskq.c:50
    #6 0x5609031d4b7c in nni_thr_wrap /home/wangha/docu/nanomq/nng/src/core/thread.c:94
    #7 0x5609031ddd25 in nni_plat_thr_main /home/wangha/docu/nanomq/nng/src/platform/posix/posix_thread.c:266
    #8 0x7fec0c494b42 in start_thread nptl/pthread_create.c:442

previously allocated by thread T19 here:
    #0 0x7fec0ccb4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5609031d9399 in nni_alloc /home/wangha/docu/nanomq/nng/src/platform/posix/posix_alloc.c:20
    #2 0x5609031a72b6 in nng_alloc /home/wangha/docu/nanomq/nng/src/nng.c:60
    #3 0x56090323fd29 in nni_get_conn_param_from_msg /home/wangha/docu/nanomq/nng/src/supplemental/mqtt/mqtt_msg.c:952
    #4 0x5609032cc1f0 in mqtt_quictran_ep_match /home/wangha/docu/nanomq/nng/src/mqtt/transport/quic/mqtt_quic.c:311
    #5 0x5609032cd7e0 in mqtt_quictran_pipe_nego_cb /home/wangha/docu/nanomq/nng/src/mqtt/transport/quic/mqtt_quic.c:470
    #6 0x5609031d37c4 in nni_taskq_thread /home/wangha/docu/nanomq/nng/src/core/taskq.c:50
    #7 0x5609031d4b7c in nni_thr_wrap /home/wangha/docu/nanomq/nng/src/core/thread.c:94
    #8 0x5609031ddd25 in nni_plat_thr_main /home/wangha/docu/nanomq/nng/src/platform/posix/posix_thread.c:266
    #9 0x7fec0c494b42 in start_thread nptl/pthread_create.c:442

Thread T22 created by T0 here:
    #0 0x7fec0cc58685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x5609031dde55 in nni_plat_thr_init /home/wangha/docu/nanomq/nng/src/platform/posix/posix_thread.c:279
    #2 0x5609031d4e28 in nni_thr_init /home/wangha/docu/nanomq/nng/src/core/thread.c:121
    #3 0x5609031c902e in nni_reap_sys_init /home/wangha/docu/nanomq/nng/src/core/reap.c:110
    #4 0x5609031bddd6 in nni_init_helper /home/wangha/docu/nanomq/nng/src/core/init.c:36
    #5 0x5609031de1fa in nni_plat_init /home/wangha/docu/nanomq/nng/src/platform/posix/posix_thread.c:422
    #6 0x5609031bde49 in nni_init /home/wangha/docu/nanomq/nng/src/core/init.c:58
    #7 0x560903222d8d in nng_mtx_alloc /home/wangha/docu/nanomq/nng/src/supplemental/util/platform.c:93
    #8 0x560903278e82 in conf_bridge_parse_ver2 /home/wangha/docu/nanomq/nng/src/supplemental/nanolib/conf_ver2.c:945
    #9 0x56090327a554 in conf_parse_ver2 /home/wangha/docu/nanomq/nng/src/supplemental/nanolib/conf_ver2.c:1251
    #10 0x5609031a5cd1 in broker_start /home/wangha/docu/nanomq/nanomq/apps/broker.c:1579
    #11 0x56090315f797 in main /home/wangha/docu/nanomq/nanomq/nanomq.c:142
    #12 0x7fec0c429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Thread T19 created by T0 here:
    #0 0x7fec0cc58685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x5609031dde55 in nni_plat_thr_init /home/wangha/docu/nanomq/nng/src/platform/posix/posix_thread.c:279
    #2 0x5609031d4e28 in nni_thr_init /home/wangha/docu/nanomq/nng/src/core/thread.c:121
    #3 0x5609031d3ae6 in nni_taskq_init /home/wangha/docu/nanomq/nng/src/core/taskq.c:95
    #4 0x5609031d4846 in nni_taskq_sys_init /home/wangha/docu/nanomq/nng/src/core/taskq.c:294
    #5 0x5609031bddc8 in nni_init_helper /home/wangha/docu/nanomq/nng/src/core/init.c:35
    #6 0x5609031de1fa in nni_plat_init /home/wangha/docu/nanomq/nng/src/platform/posix/posix_thread.c:422
    #7 0x5609031bde49 in nni_init /home/wangha/docu/nanomq/nng/src/core/init.c:58
    #8 0x560903222d8d in nng_mtx_alloc /home/wangha/docu/nanomq/nng/src/supplemental/util/platform.c:93
    #9 0x560903278e82 in conf_bridge_parse_ver2 /home/wangha/docu/nanomq/nng/src/supplemental/nanolib/conf_ver2.c:945
    #10 0x56090327a554 in conf_parse_ver2 /home/wangha/docu/nanomq/nng/src/supplemental/nanolib/conf_ver2.c:1251
    #11 0x5609031a5cd1 in broker_start /home/wangha/docu/nanomq/nanomq/apps/broker.c:1579
    #12 0x56090315f797 in main /home/wangha/docu/nanomq/nanomq/nanomq.c:142
    #13 0x7fec0c429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /home/wangha/docu/nanomq/nng/src/platform/posix/posix_atomic.c:120 in nni_atomic_dec_nv
Shadow bytes around the buggy address:
  0x0c247fffdfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffdfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffdfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffdfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffdff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c247fffe000: fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd
  0x0c247fffe010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffe020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c247fffe030: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fffe040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffe050: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==612450==ABORTING
JaylinYu commented 1 year ago

should have been fixed in #685