Closed sunqifs7 closed 4 years ago
Describe the bug The bug happens when random packet received on the peer-port of the kraken-agent, instead of a p2p message from other peers. When receiving a packet from the peer-port , this code will retrieve the content and validate the msg: https://github.com/uber/kraken/blob/master/lib/torrent/scheduler/conn/message.go#L126-L144 However, if some malformed packet accidentally passes those 4 checks, and finally constructs an empty p2p.Message struct, the empty msg struct will then go to here: https://github.com/uber/kraken/blob/d8d5afbe4dda5cacdd1c5de896ff1e0409910992/lib/torrent/scheduler/conn/handshaker.go#L97 m.Type checking is fine, since the default value for int32 is 0 - unexpectedly matches this check; but when retrieving m.Bitfield, there would be a nil pointer panic.
peer-port
To Reproduce Try to send an empty p2p msg mocking the peer msg
Expected behavior kraken-agent will panic with nil pointer.
nil pointer
Environments docker container running on bare metal.
Additional context panic strack trace:
panic: runtime error: invalid memory address or nil pointer dereference signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x8148f8 goroutine 200 [running]: github.com/uber/kraken/lib/torrent/scheduler/conn.handshakeFromP2PMessage(0xc0004024b0, 0xc00000e1c0, 0x12a05f200, 0xc0004024b0) /go/src/github.com/uber/kraken/lib/torrent/scheduler/conn/handshaker.go:101 +0x48 github.com/uber/kraken/lib/torrent/scheduler/conn.(*Handshaker).readHandshake(0xc000404280, 0xccbda0, 0xc00000e1c0, 0xc000200c40, 0xc000200cb0, 0xc000200d20) /go/src/github.com/uber/kraken/lib/torrent/scheduler/conn/handshaker.go:302 +0xe9 github.com/uber/kraken/lib/torrent/scheduler/conn.(*Handshaker).Accept(0xc000404280, 0xccbda0, 0xc00000e1c0, 0xc000201180, 0xc0002011f0, 0xc000201260) /go/src/github.com/uber/kraken/lib/torrent/scheduler/conn/handshaker.go:228 +0x43 github.com/uber/kraken/lib/torrent/scheduler.(*scheduler).listenLoop.func1(0xc0000e2500, 0xccbda0, 0xc00000e1c0) /go/src/github.com/uber/kraken/lib/torrent/scheduler/scheduler.go:326 +0x4a created by github.com/uber/kraken/lib/torrent/scheduler.(*scheduler).listenLoop /go/src/github.com/uber/kraken/lib/torrent/scheduler/scheduler.go:325 +0x174
Describe the bug The bug happens when random packet received on the peer-port of the kraken-agent, instead of a p2p message from other peers. When receiving a packet from the
peer-port, this code will retrieve the content and validate the msg: https://github.com/uber/kraken/blob/master/lib/torrent/scheduler/conn/message.go#L126-L144 However, if some malformed packet accidentally passes those 4 checks, and finally constructs an empty p2p.Message struct, the empty msg struct will then go to here: https://github.com/uber/kraken/blob/d8d5afbe4dda5cacdd1c5de896ff1e0409910992/lib/torrent/scheduler/conn/handshaker.go#L97 m.Type checking is fine, since the default value for int32 is 0 - unexpectedly matches this check; but when retrieving m.Bitfield, there would be a nil pointer panic.To Reproduce Try to send an empty p2p msg mocking the peer msg
Expected behavior kraken-agent will panic with
nil pointer.Environments docker container running on bare metal.
Additional context panic strack trace: