[Libwebsockets] Settings Frame size above max / Flow control exceeded max

Andreas Lobbes Andreas.Lobbes at thinprint.com
Mon Jul 8 10:31:39 CEST 2019


Hi Andy,

that patch causes a SIGFPE interrupt, presumably division by zero.
A proper strace output is a bit difficult to produce. Because of the callbacks
it is unclear, what calls are done by the lib and what calls are done by me.
Right before the crash some poll() calls are made,

poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 1 ([{fd=8, revents=POLLIN}])

then some read

read(8, "\27\3\3\0\374", 5)             = 5
read(8, "r\"\237\347x\37u\317T\266\1f\256\371\204\v#\305g\23Y.\5%\275\346@\352j\232\210\241"..., 252) = 252

then this:

munmap(0x7f4c064a9000, 135168)          = 0

and then

--- SIGFPE {si_signo=SIGFPE, si_code=FPE_INTDIV, si_addr=0x7f4c05dfbff5} ---
+++ killed by SIGFPE +++

in between there are a lot calls to rt_sigprocmask(), and stat("/etc/localtime")..

Regards,
Andreas

________________________________________
From: Andy Green [andy at warmcat.com]
Sent: Monday, July 08, 2019 9:48 AM
To: Andreas Lobbes; libwebsockets at ml.libwebsockets.org
Subject: Re: [Libwebsockets] Settings Frame size above max / Flow control exceeded max

On 7/8/19 8:19 AM, Andreas Lobbes wrote:

> 2019-07-08 09:06:46 INF http2 settings 4 <- 0x10000

...

 > 2019-07-08 09:06:46 INF lws_wsi_server_new: 0x555dc7a20a20 new ch
0x555dc7a39640, sid 1, usersp=(nil), tx cr 65536, peer_credit 65535
(nwsi tx_cr 65536)

...

 > 2019-07-08 09:06:46 INF WINDOW_UPDATE: sid 0 2147418112 (0x7fff0000)

... the peer sure looks unreasonable.  It told us to use 0x10000 as the
initial tx credit which we did, and then it added 0x7fff0000 to it
before we sent any payload... it overflows the 32-bit signed space
allowed for it.

What happens if you add a hack to force that to be corrected to not
overflow?

diff --git a/lib/roles/h2/http2.c b/lib/roles/h2/http2.c
index d819a0f5c..229c5bb70 100644
--- a/lib/roles/h2/http2.c
+++ b/lib/roles/h2/http2.c
@@ -1584,6 +1584,10 @@ lws_h2_parse_end_of_frame(struct lws *wsi)
                         break; /* ignore */
                 }

+               if ((uint64_t)eff_wsi->h2.tx_cr +
(uint64_t)h2n->hpack_e_dep >
+                   (uint64_t)0x7fffffff)
+                       h2n->hpack_e_dep = 0x7fffffff - eff_wsi->h2.tx_cr;
+
                 if ((uint64_t)eff_wsi->h2.tx_cr +
(uint64_t)h2n->hpack_e_dep >
                     (uint64_t)0x7fffffff) {
                         if (h2n->sid)


-Andy


More information about the Libwebsockets mailing list