mt-daapd server crashes when requesting a scanpa

Bug #210048 reported by Jeremy Kerr on 2008-04-01
4
Affects Status Importance Assigned to Milestone
mt-daapd (Debian)
Fix Released
Unknown
mt-daapd (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: mt-daapd

By requesting a metadata scan through mt-daapd's web interface, I can crash the mt-daapd process.

I see the following in the log output (using 'sudo mt-daapd -D webserver -d -f'):

Thread 12:
Request: POST /xml-rpc HTTP/1.1
Thread 12: Read: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.25-rc7-p2; X11; ppc) KHTML/3.5.9 (like Gecko) (Kubuntu package 4:3.5.9-0ubuntu5)
Thread 12: Adding header *User-Agent=Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.25-rc7-p2; X11; ppc) KHTML/3.5.9 (like Gecko) (Kubuntu package 4:3.5.9-0ubuntu5)*
Added *User-Agent=Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.25-rc7-p2; X11; ppc) KHTML/3.5.9 (like Gecko) (Kubuntu package 4:3.5.9-0ubuntu5)*
Thread 12: Read: Referer: http://pokey:3689/index.html
Thread 12: Adding header *Referer=http://pokey:3689/index.html*
Added *Referer=http://pokey:3689/index.html*
Thread 12: Read: Pragma: no-cache
Thread 12: Adding header *Pragma=no-cache*
Added *Pragma=no-cache*
Thread 12: Read: Cache-control: no-cache
Thread 12: Adding header *Cache-control=no-cache*
Added *Cache-control=no-cache*
Thread 12: Read: Accept: text/html, image/jpeg, image/png, text/*, image/*, */*
Thread 12: Adding header *Accept=text/html, image/jpeg, image/png, text/*, image/*, */**
Added *Accept=text/html, image/jpeg, image/png, text/*, image/*, */**
Thread 12: Read: Accept-Encoding: x-gzip, x-deflate, gzip, deflate
Thread 12: Adding header *Accept-Encoding=x-gzip, x-deflate, gzip, deflate*
Added *Accept-Encoding=x-gzip, x-deflate, gzip, deflate*
Thread 12: Read: Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5
Thread 12: Adding header *Accept-Charset=utf-8, utf-8;q=0.5, *;q=0.5*
Added *Accept-Charset=utf-8, utf-8;q=0.5, *;q=0.5*
Thread 12: Read: Accept-Language: en
Thread 12: Adding header *Accept-Language=en*
Added *Accept-Language=en*
Thread 12: Read: Host: pokey:3689
Thread 12: Adding header *Host=pokey:3689*
Added *Host=pokey:3689*
Thread 12: Read: connection: close
Thread 12: Adding header *connection=close*
Added *connection=close*
Thread 12: Read: x-prototype-version: 1.4.0
Thread 12: Adding header *x-prototype-version=1.4.0*
Added *x-prototype-version=1.4.0*
Thread 12: Read: x-requested-with: XMLHttpRequest
Thread 12: Adding header *x-requested-with=XMLHttpRequest*
Added *x-requested-with=XMLHttpRequest*
Thread 12: Read: Content-type: application/x-www-form-urlencoded
Thread 12: Adding header *Content-type=application/x-www-form-urlencoded*
Added *Content-type=application/x-www-form-urlencoded*
Thread 12: Read: Authorization: Basic YWRtaW46ZGVhbDlwcmljeQ==
Thread 12: Adding header *Authorization=Basic YWRtaW46ZGVhbDlwcmljeQ==*
Added *Authorization=Basic YWRtaW46ZGVhbDlwcmljeQ==*
Thread 12: Read: Connection: Keep-Alive
Thread 12: Adding header *Connection=Keep-Alive*
Updating Connection from close to Keep-Alive
Thread 12: Out of memory
Aborting
Rendezvous socket closed (daap server crashed?) Aborting.
Aborting

Fix:

It looks like the browser is sending two 'Connection:' headers (one in lowercase). This is triggerring a bug where the ws_addarg() updates (rather than inserts) a new header. This condition includes an incorrect return value. The caller assumes that the ws_addarg failed, so exits with the out of memory message.

Patch attached, also sent upstream.

Jeremy Kerr (jk-ozlabs) wrote :
Daniel T Chen (crimsun) wrote :

Is this symptom still reproducible in 8.10 or 9.04?

Changed in mt-daapd:
importance: Undecided → Medium
status: New → Triaged

I can't reproduce this on mt-daapd 0.9~r1696.dfsg-2 on Intrepid. I ran the server from the command line (though the syntax is 'sudo mt-daapd -D webserver -d 9 -f', maybe changed since the original report?), and tried (a) telnetting to the server and pasting in the offending headers, and (b) opening the web interface and forcing an update.

Checking the sources, this is because the patch was incorporated in version 0.9~r1696-4. (The bug was also reported to Debian, and patched in their sources first.)

Changed in mt-daapd:
status: Triaged → Fix Released
Changed in mt-daapd (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.