Context Navigation

← Previous Ticket
Next Ticket →

Modify ↓

Ticket #9545 (closed Bug Report - Crash: fixed)

Opened 2 years ago

Last modified 21 months ago

[CRASH] seg fault in network control

Reported by:	ajlill@…	Owned by:	wagnerrp
Priority:	minor	Milestone:	0.25
Component:	MythTV - General	Version:	0.24-fixes
Severity:	medium	Keywords:
Cc:		Ticket locked:	no

Description

If a network control client closes the connection before the frontend sends the reply, then the ncc is destroyed and when sendReplyToClient tried to see if it's still connected, it segfaults.

fix: set m_socket to NULL in ncc destructor?

From my logs:

2011-02-03 13:45:11.972 ProcessAddRemoveQueues
2011-02-03 13:45:11.972 Construct FD_SET
2011-02-03 13:45:11.972 Waiting on select..
2011-02-03 13:45:11.972 NetworkControl: emit commandReceived(key right)
2011-02-03 13:45:11.972 NetworkControl: NetworkControl::receiveCommand(key right)
2011-02-03 13:45:11.972 NetworkControl: Client Socket disconnected
2011-02-03 13:45:11.972 SendReceiveStringList(MESSAGE,SYSTEM_EVENT NET_CTRL_DISCONNECTED SENDER fe2) called from UI thread

and a couple of seconds later:

Program terminated with signal 11, Segmentation fault.
#0  0x00007f533a6a7944 in QAbstractSocket::state() const ()
   from /usr/lib/libQtNetwork.so.4
(gdb) bt
#0  0x00007f533a6a7944 in QAbstractSocket::state() const ()
   from /usr/lib/libQtNetwork.so.4
#1  0x000000000052bd3c in NetworkControl::sendReplyToClient (
    this=0x7f532c1ac9e0, ncc=0x2592ec0, reply=...) at networkcontrol.cpp:1120
#2  0x000000000052c602 in NetworkControl::customEvent (this=0x7f532c1ac9e0, 
    e=0x7f532433bed0) at networkcontrol.cpp:1189
#3  0x00007f533a2f1e84 in QObject::event(QEvent*) ()
   from /usr/lib/libQtCore.so.4
#4  0x00007f533ab2732c in QApplicationPrivate::notify_helper(QObject*, QEvent*)
    () from /usr/lib/libQtGui.so.4
#5  0x00007f533ab2d80b in QApplication::notify(QObject*, QEvent*) ()
   from /usr/lib/libQtGui.so.4
#6  0x00007f533a2e209c in QCoreApplication::notifyInternal(QObject*, QEvent*)
    () from /usr/lib/libQtCore.so.4
#7  0x00007f533a2e5744 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib/libQtCore.so.4
#8  0x00007f533a30bb73 in ?? () from /usr/lib/libQtCore.so.4
#9  0x00007f533700a6f2 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#10 0x00007f533700e568 in ?? () from /lib/libglib-2.0.so.0
#
11 0x00007f533700e71c in g_main_context_iteration ()
   from /lib/libglib-2.0.so.0
#12 0x00007f533a30b6b3 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/libQtCore.so.4
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) frame 1
#1  0x000000000052bd3c in NetworkControl::sendReplyToClient (
    this=0x7f532c1ac9e0, ncc=0x2592ec0, reply=...) at networkcontrol.cpp:1120
1120	    if (client && clientStream && client->state() == QTcpSocket::ConnectedState)
(gdb) p client
$1 = (struct QTcpSocket *) 0x2592eda
(gdb) p clientStream
$2 = (struct QTextStream *) 0x24000a000d8f80

Attachments

Change History

comment:1 Changed 2 years ago by ajlill@…

Setting m_socket to null didn't fix it, but this does

diff --git a/mythtv/programs/mythfrontend/networkcontrol.cpp b/mythtv/programs/mythfrontend/networkcontrol.cpp
index 0204f34..00778df 100644
--- a/mythtv/programs/mythfrontend/networkcontrol.cpp
+++ b/mythtv/programs/mythfrontend/networkcontrol.cpp
@@ -1186,7 +1186,10 @@ void NetworkControl::customEvent(QEvent *e)
             NetworkControlClient * ncc = nc->getClient();
             if (ncc)
             {
+             int index = clients.indexOf(ncc);
+             if (index >= 0)
                 sendReplyToClient(ncc, reply);
+             // else the client has disconnected
             }
             else //send to all clients
             {

comment:2 Changed 2 years ago by beirdo

Summary changed from seg fault in network control to [CRASH] seg fault in network control

This sounds like a potential candidate for use of QPointer.

comment:3 Changed 2 years ago by beirdo

Owner set to beirdo
Status changed from new to assigned

comment:4 Changed 2 years ago by beirdo

Type changed from Bug Report to Bug Report - Crash

comment:5 Changed 2 years ago by beirdo

Status changed from assigned to infoneeded

Can you give me the steps to try to reproduce this here?

comment:6 Changed 2 years ago by Tony Lill <ajlill@…>

use

tkmythremote frontendhostname

It's in the contrib directory in the 0.22 branch. It connects, sends a command and disconnects without waiting for a response. Just keep hitting buttons until it crashes.

comment:7 Changed 23 months ago by wagnerrp

Status changed from infoneeded to assigned

comment:8 Changed 21 months ago by Github

Status changed from assigned to closed
Resolution set to fixed
Milestone changed from unknown to 0.25

Check for viable connection before sending frontend control response

Add a check in NetworkControl::sendReplyToClient to ensure the client it is trying to send a command response to is one that it knows about. This is to prevent attempting to send a response to a connection that has already be closed by the remote end and deleted.

Fixes #9545

Branch: master Changeset: fc0e279a5a3a73e8e367222a6a9305af20986cbc

comment:9 Changed 21 months ago by wagnerrp

Owner changed from beirdo to wagnerrp

View ↑

Add a comment

You may use WikiFormatting here.

Modify Ticket

Action

leave as closed

reopen The resolution will be deleted. Next status will be 'new'

Author

Your email or username:

E-mail address and user name can be saved in the Preferences.

Attachments ↑

Note: See TracTickets for help on using tickets.

Download in other formats: