nng_recvmsg return NULL msg when receving massive QoS 2 #15
Comments
JaylinYu
added a commit
that referenced
this issue
Feb 4, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
==274546==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000179630 at pc 0x55555559c8f3 bp 0x7fffffffd3f0 sp 0x7fffffffd3e0
READ of size 8 at 0x60c000179630 thread T0
#0 0x55555559c8f2 in nni_msg_get_proto_data ../src/core/message.c:674
#1 0x5555555c2301 in nni_mqtt_msg_get_packet_type ../src/supplemental/mqtt/mqtt_msg.c:60
#2 0x5555555b8681 in nng_mqtt_msg_get_packet_type ../src/supplemental/mqtt/mqtt_public.c:42
#3 0x555555581ebb in client_subscribe ../mqtt/mqtt_client.c:180
#4 0x555555582eaf in main ../mqtt/mqtt_client.c:319
#5 0x7ffff73c1564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
#6 0x55555558122d in _start (/home/jaylin/projects/github/nng-nano/build/mqtt/mqtt_client+0x2d22d)
0x60c000179630 is located 112 bytes inside of 128-byte region [0x60c0001795c0,0x60c000179640)
freed by thread T0 here:
#0 0x7ffff768b8f7 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x5555555aff8c in nni_free ../src/platform/posix/posix_alloc.c:33
#2 0x55555559ba6d in nni_msg_free ../src/core/message.c:461
#3 0x55555558bbd8 in nng_msg_free ../src/nng.c:1424
#4 0x555555582025 in client_subscribe ../mqtt/mqtt_client.c:192
#5 0x555555582eaf in main ../mqtt/mqtt_client.c:319
#6 0x7ffff73c1564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
previously allocated by thread T7 (nng:task) here:
#0 0x7ffff768be17 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x5555555aff63 in nni_zalloc ../src/platform/posix/posix_alloc.c:26
#2 0x55555559b52b in nni_msg_alloc ../src/core/message.c:380
#3 0x5555555cda6d in mqtt_tcptran_pipe_recv_cb ../src/mqtt/transport/tcp/mqtt_tcp.c:559
#4 0x5555555aa93d in nni_taskq_thread ../src/core/taskq.c:47
#5 0x5555555abb19 in nni_thr_wrap ../src/core/thread.c:94
#6 0x5555555b2aac in nni_plat_thr_main ../src/platform/posix/posix_thread.c:266
#7 0x7ffff75be44f in start_thread nptl/pthread_create.c:473
Thread T7 (nng:task) created by T0 here:
#0 0x7ffff762f6d5 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x5555555b2bdc in nni_plat_thr_init ../src/platform/posix/posix_thread.c:279
#2 0x5555555abdc2 in nni_thr_init ../src/core/thread.c:121
#3 0x5555555aac5c in nni_taskq_init ../src/core/taskq.c:92
#4 0x5555555ab7e9 in nni_taskq_sys_init ../src/core/taskq.c:251
#5 0x5555555976ca in nni_init_helper ../src/core/init.c:35
#6 0x5555555b2f30 in nni_plat_init ../src/platform/posix/posix_thread.c:422
#7 0x555555597741 in nni_init ../src/core/init.c:56
#8 0x5555555a3436 in nni_sock_open ../src/core/socket.c:630
#9 0x5555555b7cc0 in nni_proto_open ../src/sp/protocol.c:22
#10 0x5555555b796e in nng_mqtt_client_open ../src/mqtt/protocol/mqtt/mqtt_client.c:818
#11 0x555555581602 in client_connect ../mqtt/mqtt_client.c:100
#12 0x555555582a23 in main ../mqtt/mqtt_client.c:279
#13 0x7ffff73c1564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
SUMMARY: AddressSanitizer: heap-use-after-free ../src/core/message.c:674 in nni_msg_get_proto_data
Shadow bytes around the buggy address:
0x0c1880027270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1880027280: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880027290: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c18800272a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c18800272b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c18800272c0: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa
0x0c18800272d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c18800272e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c18800272f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1880027300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1880027310: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==274546==ABORTING
this happens when receiving high throughput qos2 msg which is beyond client's capability.
The text was updated successfully, but these errors were encountered: