[Libwebsockets] Settings Frame size above max / Flow control exceeded max

Andy Green andy at warmcat.com
Mon Jul 8 11:21:48 CEST 2019



On 7/8/19 9:58 AM, Andreas Lobbes wrote:
> 
> Program received signal SIGFPE, Arithmetic exception.
> 0x00007ffff792dff5 in lws_dynamic_token_insert (len=13,
>      arg=0x55555579d8d0 "nginx/1.15.10", lws_hdr_index=65, hdr_len=6,
>      wsi=<optimized out>)
>      at lib/roles/h2/hpack.c:507
> 507		new_index = (dyn->pos) % dyn->num_entries;
> 
> All entries in dyn have zero value

What actually is this peer?  Something behind nginx but what?  It'll be 
quicker if I can get these problems in my face.

Can you also paste the verbose logs up to the crash point?

-Andy

> (gdb) bt
> #0  0x00007ffff792dff5 in lws_dynamic_token_insert (len=13,
>      arg=0x55555579d8d0 "nginx/1.15.10", lws_hdr_index=65, hdr_len=6,
>      wsi=<optimized out>)
>      at lib/roles/h2/hpack.c:507
> #1  lws_hpack_interpret (wsi=0x5555557b8070, c=<optimized out>, c at entry=63 '?')
>      at lib/roles/h2/hpack.c:1257
> #2  0x00007ffff792b0ca in lws_h2_parser (wsi=wsi at entry=0x55555579d140,
>      in=0x55555577f437 "a\226\320z\276\224\003\312e\266\205\004",
>      in at entry=0x55555577f420 "", inlen=205, inlen at entry=228,
>      inused=inused at entry=0x7fffffff96f8)
>      at lib/roles/h2/http2.c:1778
> #3  0x00007ffff792d2ed in lws_read_h2 (wsi=wsi at entry=0x55555579d140,
>      buf=0x55555577f420 "", len=228)
>      at lib/roles/h2/http2.c:2336
> #4  0x00007ffff7930dee in rops_handle_POLLIN_h2 (pt=0x55555577f1a8,
>      wsi=0x55555579d140, pollfd=0x555555780438)
>      at lib/roles/h2/ops-h2.c:261
> #5  0x00007ffff791526d in lws_service_fd_tsi (
> ---Type <return> to continue, or q <return> to quit---
>      context=context at entry=0x55555577f0e0, pollfd=0x555555780438,
>      tsi=tsi at entry=0)
>      at lib/core/service.c:1022
> #6  0x00007ffff7931c71 in _lws_plat_service_tsi (context=0x55555577f0e0,
>      timeout_ms=<optimized out>, tsi=tsi at entry=0)
>      at lib/plat/unix/unix-service.c:168
> #7  0x00007ffff7931e57 in lws_plat_service (context=<optimized out>,
>      timeout_ms=<optimized out>)
>      at lib/plat/unix/unix-service.c:193
> #8  0x00007ffff791541d in lws_service (context=0x55555577f0e0,
>      timeout_ms=<optimized out>)
>      at lib/core/service.c:1092
> 
> Andreas
> ________________________________________
> From: Andy Green [andy at warmcat.com]
> Sent: Monday, July 08, 2019 10:39 AM
> To: Andreas Lobbes; libwebsockets at ml.libwebsockets.org
> Subject: Re: [Libwebsockets] Settings Frame size above max / Flow control exceeded max
> 
> On 7/8/19 9:31 AM, Andreas Lobbes wrote:
>> Hi Andy,
>>
>> that patch causes a SIGFPE interrupt, presumably division by zero.
> 
> gdb will give better info than strace for this kind of thing.  Probably
> even valgrind will do better.  Build with cmake ..
> -DCMAKE_BUILD_TYPE=DEBUG for meaningful backtraces.
> 
>> A proper strace output is a bit difficult to produce. Because of the callbacks
>> it is unclear, what calls are done by the lib and what calls are done by me.
>> Right before the crash some poll() calls are made,
>>
>> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
>> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
>> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 0 (Timeout)
>> poll([{fd=6, events=POLLIN}, {fd=8, events=POLLIN}], 2, 50) = 1 ([{fd=8, revents=POLLIN}])
>>
>> then some read
>>
>> read(8, "\27\3\3\0\374", 5)             = 5
>> read(8, "r\"\237\347x\37u\317T\266\1f\256\371\204\v#\305g\23Y.\5%\275\346@\352j\232\210\241"..., 252) = 252
>>
>> then this:
>>
>> munmap(0x7f4c064a9000, 135168)          = 0
>>
>> and then
>>
>> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_INTDIV, si_addr=0x7f4c05dfbff5} ---
>> +++ killed by SIGFPE +++
>>
>> in between there are a lot calls to rt_sigprocmask(), and stat("/etc/localtime")..
> 
> What is the peer that is making the trouble?  Something I can access?
> 
> -Andy
> 
>> Regards,
>> Andreas
>>
>> ________________________________________
>> From: Andy Green [andy at warmcat.com]
>> Sent: Monday, July 08, 2019 9:48 AM
>> To: Andreas Lobbes; libwebsockets at ml.libwebsockets.org
>> Subject: Re: [Libwebsockets] Settings Frame size above max / Flow control exceeded max
>>
>> On 7/8/19 8:19 AM, Andreas Lobbes wrote:
>>
>>> 2019-07-08 09:06:46 INF http2 settings 4 <- 0x10000
>>
>> ...
>>
>>    > 2019-07-08 09:06:46 INF lws_wsi_server_new: 0x555dc7a20a20 new ch
>> 0x555dc7a39640, sid 1, usersp=(nil), tx cr 65536, peer_credit 65535
>> (nwsi tx_cr 65536)
>>
>> ...
>>
>>    > 2019-07-08 09:06:46 INF WINDOW_UPDATE: sid 0 2147418112 (0x7fff0000)
>>
>> ... the peer sure looks unreasonable.  It told us to use 0x10000 as the
>> initial tx credit which we did, and then it added 0x7fff0000 to it
>> before we sent any payload... it overflows the 32-bit signed space
>> allowed for it.
>>
>> What happens if you add a hack to force that to be corrected to not
>> overflow?
>>
>> diff --git a/lib/roles/h2/http2.c b/lib/roles/h2/http2.c
>> index d819a0f5c..229c5bb70 100644
>> --- a/lib/roles/h2/http2.c
>> +++ b/lib/roles/h2/http2.c
>> @@ -1584,6 +1584,10 @@ lws_h2_parse_end_of_frame(struct lws *wsi)
>>                            break; /* ignore */
>>                    }
>>
>> +               if ((uint64_t)eff_wsi->h2.tx_cr +
>> (uint64_t)h2n->hpack_e_dep >
>> +                   (uint64_t)0x7fffffff)
>> +                       h2n->hpack_e_dep = 0x7fffffff - eff_wsi->h2.tx_cr;
>> +
>>                    if ((uint64_t)eff_wsi->h2.tx_cr +
>> (uint64_t)h2n->hpack_e_dep >
>>                        (uint64_t)0x7fffffff) {
>>                            if (h2n->sid)
>>
>>
>> -Andy
>>


More information about the Libwebsockets mailing list