mt-daapd server crashes when requesting a scanpa
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | mt-daapd (Debian) |
Fix Released
|
Unknown
|
||
| | mt-daapd (Ubuntu) |
Medium
|
Unassigned | ||
Bug Description
Binary package hint: mt-daapd
By requesting a metadata scan through mt-daapd's web interface, I can crash the mt-daapd process.
I see the following in the log output (using 'sudo mt-daapd -D webserver -d -f'):
Thread 12:
Request: POST /xml-rpc HTTP/1.1
Thread 12: Read: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.25-rc7-p2; X11; ppc) KHTML/3.5.9 (like Gecko) (Kubuntu package 4:3.5.9-0ubuntu5)
Thread 12: Adding header *User-Agent=
Added *User-Agent=
Thread 12: Read: Referer: http://
Thread 12: Adding header *Referer=http://
Added *Referer=http://
Thread 12: Read: Pragma: no-cache
Thread 12: Adding header *Pragma=no-cache*
Added *Pragma=no-cache*
Thread 12: Read: Cache-control: no-cache
Thread 12: Adding header *Cache-
Added *Cache-
Thread 12: Read: Accept: text/html, image/jpeg, image/png, text/*, image/*, */*
Thread 12: Adding header *Accept=text/html, image/jpeg, image/png, text/*, image/*, */**
Added *Accept=text/html, image/jpeg, image/png, text/*, image/*, */**
Thread 12: Read: Accept-Encoding: x-gzip, x-deflate, gzip, deflate
Thread 12: Adding header *Accept-
Added *Accept-
Thread 12: Read: Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5
Thread 12: Adding header *Accept-
Added *Accept-
Thread 12: Read: Accept-Language: en
Thread 12: Adding header *Accept-
Added *Accept-
Thread 12: Read: Host: pokey:3689
Thread 12: Adding header *Host=pokey:3689*
Added *Host=pokey:3689*
Thread 12: Read: connection: close
Thread 12: Adding header *connection=close*
Added *connection=close*
Thread 12: Read: x-prototype-
Thread 12: Adding header *x-prototype-
Added *x-prototype-
Thread 12: Read: x-requested-with: XMLHttpRequest
Thread 12: Adding header *x-requested-
Added *x-requested-
Thread 12: Read: Content-type: application/
Thread 12: Adding header *Content-
Added *Content-
Thread 12: Read: Authorization: Basic YWRtaW46ZGVhbDl
Thread 12: Adding header *Authorization=
Added *Authorization=
Thread 12: Read: Connection: Keep-Alive
Thread 12: Adding header *Connection=
Updating Connection from close to Keep-Alive
Thread 12: Out of memory
Aborting
Rendezvous socket closed (daap server crashed?) Aborting.
Aborting
Fix:
It looks like the browser is sending two 'Connection:' headers (one in lowercase). This is triggerring a bug where the ws_addarg() updates (rather than inserts) a new header. This condition includes an incorrect return value. The caller assumes that the ws_addarg failed, so exits with the out of memory message.
Patch attached, also sent upstream.
| Jeremy Kerr (jk-ozlabs) wrote : | #1 |
| Daniel T Chen (crimsun) wrote : | #2 |
| Changed in mt-daapd: | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| Adam Buchbinder (adam-buchbinder) wrote : | #3 |
I can't reproduce this on mt-daapd 0.9~r1696.dfsg-2 on Intrepid. I ran the server from the command line (though the syntax is 'sudo mt-daapd -D webserver -d 9 -f', maybe changed since the original report?), and tried (a) telnetting to the server and pasting in the offending headers, and (b) opening the web interface and forcing an update.
Checking the sources, this is because the patch was incorporated in version 0.9~r1696-4. (The bug was also reported to Debian, and patched in their sources first.)
| Changed in mt-daapd: | |
| status: | Triaged → Fix Released |
| Changed in mt-daapd (Debian): | |
| status: | Unknown → Fix Released |
Is this symptom still reproducible in 8.10 or 9.04?