Crash in upnp_delete_mapping

[GoogleCodeExporter]

What steps will reproduce the problem?
1. I got several users who recently reported the same crash on startup.
2.
3.

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
libtorrent v0.14.10 on Linux

Please provide any additional information below.
/lib/tls/i686/cmov/libpthread.so.0 : pthread_mutex_lock()+0x1d [0x39cf2d]
  /usr/lib/libtorrent-rasterbar.so.5 : libtorrent::upnp::delete_mapping(int)+0x2c [0x11e409c]
  /usr/lib/libtorrent-rasterbar.so.5 : libtorrent::aux::session_impl::set_dht_settings(libtorrent::dht_settings const&)+0x129 [0x1110179]
  /usr/lib/libtorrent-rasterbar.so.5 : libtorrent::session::set_dht_settings(libtorrent::dht_settings const&)+0x27 [0x1106b97]
  qbittorrent : Bittorrent::setDHTPort(int)+0x45 [0x80a21c5]
  qbittorrent : Bittorrent::configureSession()+0x3015 [0x80b7f95]
  qbittorrent : Bittorrent::Bittorrent()+0xe60 [0x80bfeb0]
  qbittorrent : GUI::GUI(QWidget*, QStringList)+0x968 [0x8130848]
  qbittorrent : main()+0x1282 [0x809fe22]
  /lib/tls/i686/cmov/libc.so.6 : __libc_start_main()+0xe6 [0x12d3bd6]
  qbittorrent() [0x809b4a1]

Original issue reported on code.google.com by dch...@gmail.com on 9 Jul 2010 at 12:44

[GoogleCodeExporter]

Issue 113 has been merged into this issue.

Original comment by arvid.no...@gmail.com on 27 Sep 2010 at 1:02

[GoogleCodeExporter]

Hydri, note that I get a lot of emails/reports regarding this issue (at least 
with the backtrace in #133, in upnp::on_reply). For example:
https://bugs.launchpad.net/qbittorrent/+bug/657745

Original comment by dch...@gmail.com on 10 Oct 2010 at 3:52

[GoogleCodeExporter]

Full backtrace from a qBittorrent user:

(gdb) backtrace
#0  0x00007ffff459ca79 in free () from /lib/libc.so.6
#1  0x00007ffff6e01e16 in deallocate (this=3D0xb75290,
    from=3D<value optimized out>, buffer=3D<value optimized out>,
    bytes_transferred=3D<value optimized out>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/4.4.4/include/g++-v4/ext/new_alloca=
tor.h:95
#2  _M_deallocate (this=3D0xb75290, from=3D<value optimized out>,
    buffer=3D<value optimized out>, bytes_transferred=3D<value optimized ou=
t>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/4.4.4/include/g++-v4/bits/stl_vecto=
r.h:146
#3  ~_Vector_base (this=3D0xb75290, from=3D<value optimized out>,
    buffer=3D<value optimized out>, bytes_transferred=3D<value optimized ou=
t>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/4.4.4/include/g++-v4/bits/stl_vecto=
r.h:132
#4  ~vector (this=3D0xb75290, from=3D<value optimized out>,
    buffer=3D<value optimized out>, bytes_transferred=3D<value optimized ou=
t>)
    at /usr/lib/gcc/x86_64-pc-linux-gnu/4.4.4/include/g++-v4/bits/stl_vecto=
r.h:313
#5  libtorrent::upnp::on_reply (this=3D0xb75290, from=3D<value optimized ou=
t>,
    buffer=3D<value optimized out>, bytes_transferred=3D<value optimized ou=
t>)
    at upnp.cpp:398
#6  0x00007ffff6c28393 in operator() (this=3D0xb75338, s=3D0xd7bad0,
    ec=3D<value optimized out>, bytes_transferred=3D0)
---Type <return> to continue, or q <return> to quit---
    at /usr/include/boost/function/function_template.hpp:1013
#7  libtorrent::broadcast_socket::on_receive (this=3D0xb75338, s=3D0xd7bad0=
,
    ec=3D<value optimized out>, bytes_transferred=3D0) at broadcast_socket.=
cpp:341
#8  0x00007ffff6c295f4 in operator() (base=3D<value optimized out>)
    at /usr/include/boost/bind/mem_fn_template.hpp:393
#9  operator()<boost::_mfi::mf3<void, libtorrent::broadcast_socket,
libtorrent::broadcast_socket::socket_entry*, const
boost::system::error_code&, long unsigned int>,
boost::_bi::list2<boost::system::error_code&, long unsigned int&> > (
    base=3D<value optimized out>) at /usr/include/boost/bind/bind.hpp:457
#10 operator()<boost::system::error_code, long unsigned int> (
    base=3D<value optimized out>) at /usr/include/boost/bind/bind_template.=
hpp:61
#11 operator() (base=3D<value optimized out>)
    at /usr/include/boost/asio/detail/bind_handler.hpp:96
#12 asio_handler_invoke<boost::asio::detail::binder2<boost::_bi::bind_t<voi=
d,
boost::_mfi::mf3<void, libtorrent::broadcast_socket,
libtorrent::broadcast_socket::socket_entry*, boost::system::error_code
const&, unsigned long>,
boost::_bi::list4<boost::_bi::value<libtorrent::broadcast_socket*>,
boost::_bi::value<libtorrent::broadcast_socket::socket_entry*>,
boost::arg<1>, boost::arg<2> > >, boost::system::error_code, unsigned
long> > (base=3D<value optimized out>)
    at /usr/include/boost/asio/handler_invoke_hook.hpp:62
#13 invoke<boost::asio::detail::binder2<boost::_bi::bind_t<void,
boost::_mfi::mf3<void, libtorrent::broadcast_socket,
libtorrent::broadcast_socket::socket_entry*, boost::system::error_code
const&, unsigned long>, boost::_bi::list4<boost::_b---Type <return> to
continue, or q <return> to quit---
i::value<libtorrent::broadcast_socket*>,
boost::_bi::value<libtorrent::broadcast_socket::socket_entry*>,
boost::arg<1>, boost::arg<2> > >, boost::system::error_code, unsigned
long>, boost::_bi::bind_t<void, boost::_mfi::mf3<void,
libtorrent::broadcast_socket,
libtorrent::broadcast_socket::socket_entry*, boost::system::error_code
const&, unsigned long>,
boost::_bi::list4<boost::_bi::value<libtorrent::broadcast_socket*>,
boost::_bi::value<libtorrent::broadcast_socket::socket_entry*>,
boost::arg<1>, boost::arg<2> > > > (base=3D<value optimized out>)
    at /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:41
#14 asio_handler_invoke<boost::asio::detail::binder2<boost::_bi::bind_t<voi=
d,
boost::_mfi::mf3<void, libtorrent::broadcast_socket,
libtorrent::broadcast_socket::socket_entry*, boost::system::error_code
const&, unsigned long>,
boost::_bi::list4<boost::_bi::value<libtorrent::broadcast_socket*>,
boost::_bi::value<libtorrent::broadcast_socket::socket_entry*>,
boost::arg<1>, boost::arg<2> > >, boost::system::error_code, unsigned
long>, boost::_bi::bind_t<void, boost::_mfi::mf3<void,
libtorrent::broadcast_socket,
libtorrent::broadcast_socket::socket_entry*, boost::system::error_code
const&, unsigned long>,
boost::_bi::list4<boost::_bi::value<libtorrent::broadcast_socket*>,
boost::_bi::value<libtorrent::broadcast_socket::socket_entry*>,
boost::arg<1>, boost::arg<2> > >, boost::system::error_code, unsigned
long> (base=3D<value optimized out>)
    at /usr/include/boost/asio/detail/bind_handler.hpp:130
#15 invoke<boost::asio::detail::binder2<boost::_bi::bind_t<void,
boost::_mfi::mf3<void, libtorrent::broadcast_socket,
libtorrent::broadcast_socket::socket_entry*, boost::system::error_code
const&, unsigned long>, boost::_bi::list4<boost::_b---Type <return> to
continue, or q <return> to quit---
i::value<libtorrent::broadcast_socket*>,
boost::_bi::value<libtorrent::broadcast_socket::socket_entry*>,
boost::arg<1>, boost::arg<2> > >, boost::system::error_code, unsigned
long>, boost::asio::detail::binder2<boost::_bi::bind_t<void,
boost::_mfi::mf3<void, libtorrent::broadcast_socket,
libtorrent::broadcast_socket::socket_entry*, boost::system::error_code
const&, unsigned long>,
boost::_bi::list4<boost::_bi::value<libtorrent::broadcast_socket*>,
boost::_bi::value<libtorrent::broadcast_socket::socket_entry*>,
boost::arg<1>, boost::arg<2> > >, boost::system::error_code, unsigned
long> > (base=3D<value optimized out>)
    at /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:41
#16 handler_wrapper<boost::asio::detail::binder2<boost::_bi::bind_t<void,
boost::_mfi::mf3<void, libtorrent::broadcast_socket,
libtorrent::broadcast_socket::socket_entry*, boost::system::error_code
const&, unsigned long>,
boost::_bi::list4<boost::_bi::value<libtorrent::broadcast_socket*>,
boost::_bi::value<libtorrent::broadcast_socket::socket_entry*>,
boost::arg<1>, boost::arg<2> > >, boost::system::error_code, unsigned
long> >::do_call (base=3D<value optimized out>)
    at /usr/include/boost/asio/detail/handler_queue.hpp:192
#17 0x00007ffff6c95efe in
boost::asio::detail::task_io_service<boost::asio::detail::epoll_reactor<fal=
se>
>::run(boost::system::error_code&) ()
   from /usr/lib/libtorrent-rasterbar.so.6
#18 0x00007ffff6d41d73 in run (this=3D0xd79a60)
    at /usr/include/boost/asio/impl/io_service.ipp:75
#19 libtorrent::aux::session_impl::operator() (this=3D0xd79a60)
    at session_impl.cpp:2587
---Type <return> to continue, or q <return> to quit---
#20 0x00007ffff2d0fd97 in boost::(anonymous namespace)::thread_proxy (
    param=3D<value optimized out>) at libs/thread/src/pthread/thread.cpp:12=
0
#21 0x00007ffff503cc1a in start_thread () from /lib/libpthread.so.0
#22 0x00007ffff45f6a9d in clone () from /lib/libc.so.6

Original comment by dch...@gmail.com on 17 Oct 2010 at 1:39

[GoogleCodeExporter]

I asked a user to recompile after disabling upnp_ignore_non_routers and it 
still crashes:
http://pastebin.ca/1967192

Original comment by dch...@gmail.com on 19 Oct 2010 at 6:25

[GoogleCodeExporter]

I'm not sure I trust that the recompiled version of libtorrent was in fact used 
in that test-run. Mostly because the gdb backtrace was relatively clear that it 
crashed in that if-block, and also because it seems to be a very common 
mistake/problem, that an older version of the .so is picked up.

Do you think it would be possible to get a gdb trace from this rebuilt version?

Also, I guessed at what might have been going on and checked in a patch that 
might have fixed it (shooting from the hip though). It could potentially be a 
string overflow which isn't handled properly. It's not clear why it wouldn't 
have been handled properly, but I made some extra checks. Essentially what my 
theory was is that the 200 character string, which is allocated on the stack, 
is overrun and writes into the vector which is also allocated on the stack 
which then crashes when it's being destructed.

I checked this in to trunk and RC_0_15

Original comment by arvid.no...@gmail.com on 21 Oct 2010 at 12:55

[GoogleCodeExporter]

could anyone who experiences this paste their output from the libtorrent 
example: enum_net ?

my theory is that if the machine has many interfaces, they won't all fit in the 
string of 200 bytes allocated for the message, and will cause it to overflow. 
The output from this tool is essentially what is added to this string, and 
would hint whether this theory is reasonable or not.

Original comment by arvid.no...@gmail.com on 21 Oct 2010 at 2:48

[GoogleCodeExporter]

> I'm not sure I trust that the recompiled version of libtorrent was in fact 
used in that test-run. Mostly because the gdb backtrace was relatively clear 
that it crashed in that if-block, and also because it seems to be a very common 
mistake/problem, that an older version of the .so is picked up.

Hmmm. :) I sent the user a patch for qBittorrent, not libtorrent. It was easier 
for the user. Also, this user does not seem to be a beginner. It is unlikely to 
be his problem. I asked for a gdb backtrace to that we can have a look at the 
line numbers.

Original comment by dch...@gmail.com on 21 Oct 2010 at 5:03

[GoogleCodeExporter]

ok, great! thanks!

Original comment by arvid.no...@gmail.com on 21 Oct 2010 at 6:22

[GoogleCodeExporter]

actually. A wireshark dump of the conversation with the router would probably 
be quite helpful as well!

Original comment by arvid.no...@gmail.com on 22 Oct 2010 at 8:22

[GoogleCodeExporter]

could you please provide the actual command? I have little experience with 
wireshark.

Original comment by dch...@gmail.com on 22 Oct 2010 at 8:34

[GoogleCodeExporter]

capture on your main interface (the one connected to the router), and filter 
the traffic to only the one directed to and from the router. This requires you 
to know the router's IP. Typically it would be something like 10.0.0.1, 
10.0.1.1 or 192.168.0.1. In the capture filter, enter: "host <IP>" where<IP> is 
your router's IP address.

Original comment by arvid.no...@gmail.com on 22 Oct 2010 at 9:12

[GoogleCodeExporter]

I had crash on start, I did ifconfig and saw a lot of inet6 lines in there, 
restarted the network to get rid of them and the crash disappeared, 

Original comment by iggyn...@gmail.com on 5 Dec 2011 at 5:53