[Libwebsockets] [libwebsockets] #28: Crash due to file descriptor being accessed from union storing header data

Trac trac at libwebsockets.org
Mon May 6 10:13:45 CEST 2013


#28: Crash due to file descriptor being accessed from union storing header data
------------------------------------+--------------------------------
  Reporter:  simonwulf              |      Owner:  agreen
      Type:  defect                 |     Status:  new
  Priority:  critical               |  Milestone:
 Component:  libwebsockets library  |    Version:
Resolution:                         |   Keywords:  server union crash
------------------------------------+--------------------------------

Comment (by simonwulf):

 I can reproduce it, but not consistently. It seems to happen about a third
 of the time. The times when the crash does not occur, the if statement on
 line 209 in libwebsockets.c is executed when the client page is loaded (is
 this part of the upgrade procedure or something that should happen for
 every http-request?).

 When the crash DOES occur, the if statement is not executed until shutdown
 and the file discriptor seems to hold a garbage value. I can't really make
 out if the union is supposed to hold something else. My best guess is that
 it's being used as a _lws_websocket_related with rx_user_buffer holding a
 pointer to an empty string and everything else being set to 0, the file
 descriptor is then being read as the decimal value of the buffer pointer.

-- 
Ticket URL: <http://libwebsockets.org/trac/ticket/28#comment:14>
libwebsockets <http://libwebsockets.org>
libwebsockets C library



More information about the Libwebsockets mailing list