[Libwebsockets] Settings Frame size above max / Flow control exceeded max

Andy Green andy at warmcat.com
Mon Jul 8 10:39:05 CEST 2019



On 7/8/19 9:31 AM, Andreas Lobbes wrote:
> Hi Andy,
> 
> that patch causes a SIGFPE interrupt, presumably division by zero.

gdb will give better info than strace for this kind of thing.  Probably 
even valgrind will do better.  Build with cmake .. 
-DCMAKE_BUILD_TYPE=DEBUG for meaningful backtraces.

> A proper strace output is a bit difficult to produce. Because of the callbacks
> it is unclear, what calls are done by the lib and what calls are done by me.
> Right before the crash some poll() calls are made,
> 
> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 1 ([{fd=8, revents=POLLIN}])
> 
> then some read
> 
> read(8, "\27\3\3\0\374", 5)             = 5
> read(8, "r\"\237\347x\37u\317T\266\1f\256\371\204\v#\305g\23Y.\5%\275\346@\352j\232\210\241"..., 252) = 252
> 
> then this:
> 
> munmap(0x7f4c064a9000, 135168)          = 0
> 
> and then
> 
> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_INTDIV, si_addr=0x7f4c05dfbff5} ---
> +++ killed by SIGFPE +++
> 
> in between there are a lot calls to rt_sigprocmask(), and stat("/etc/localtime")..

What is the peer that is making the trouble?  Something I can access?

-Andy

> Regards,
> Andreas
> 
> ________________________________________
> From: Andy Green [andy at warmcat.com]
> Sent: Monday, July 08, 2019 9:48 AM
> To: Andreas Lobbes; libwebsockets at ml.libwebsockets.org
> Subject: Re: [Libwebsockets] Settings Frame size above max / Flow control exceeded max
> 
> On 7/8/19 8:19 AM, Andreas Lobbes wrote:
> 
>> 2019-07-08 09:06:46 INF http2 settings 4 <- 0x10000
> 
> ...
> 
>   > 2019-07-08 09:06:46 INF lws_wsi_server_new: 0x555dc7a20a20 new ch
> 0x555dc7a39640, sid 1, usersp=(nil), tx cr 65536, peer_credit 65535
> (nwsi tx_cr 65536)
> 
> ...
> 
>   > 2019-07-08 09:06:46 INF WINDOW_UPDATE: sid 0 2147418112 (0x7fff0000)
> 
> ... the peer sure looks unreasonable.  It told us to use 0x10000 as the
> initial tx credit which we did, and then it added 0x7fff0000 to it
> before we sent any payload... it overflows the 32-bit signed space
> allowed for it.
> 
> What happens if you add a hack to force that to be corrected to not
> overflow?
> 
> diff --git a/lib/roles/h2/http2.c b/lib/roles/h2/http2.c
> index d819a0f5c..229c5bb70 100644
> --- a/lib/roles/h2/http2.c
> +++ b/lib/roles/h2/http2.c
> @@ -1584,6 +1584,10 @@ lws_h2_parse_end_of_frame(struct lws *wsi)
>                           break; /* ignore */
>                   }
> 
> +               if ((uint64_t)eff_wsi->h2.tx_cr +
> (uint64_t)h2n->hpack_e_dep >
> +                   (uint64_t)0x7fffffff)
> +                       h2n->hpack_e_dep = 0x7fffffff - eff_wsi->h2.tx_cr;
> +
>                   if ((uint64_t)eff_wsi->h2.tx_cr +
> (uint64_t)h2n->hpack_e_dep >
>                       (uint64_t)0x7fffffff) {
>                           if (h2n->sid)
> 
> 
> -Andy
> 


More information about the Libwebsockets mailing list