Crash AddressSanitizer SrsHttpStreamServer::hijack

Question

Crash AddressSanitizer SrsHttpStreamServer::hijack

Closed this issue 2 months ago · 3 comments

thegobot commented 2 months ago

XCORE-SRS/5.0.224(Bee)

ffmpeg -i rtmp://127.0.0.1/defaultApp/stream -f flv rtmp://127.0.0.1/defaultApp/stream?vhost=small

kill ffmpeg

ffplay http://127.0.0.1:8081/__defaultApp__/stream_sm.flv
Failed to handle HTTP request for pattern duplicated

ffplay http://127.0.0.1:8081/__defaultApp__/stream_sm.flv
Crash

I'm checked

s_entry->stream->entry IS NULL!

Heap-use-after-free on address 0x5040004b2098 at pc 0x55c2332e9a32 bp 0x7fb8aa2d1080 sp 0x7fb8aa2d1070
READ of size 8 at 0x5040004b2098 thread T1
  at 0x55c2332e9a31 SrsHttpStreamServer::hijack(ISrsHttpMessage*, ISrsHttpHandler**) (srs_app_http_stream.cpp:1118)
  at 0x55c232fbfc16 SrsHttpServeMux::find_handler(ISrsHttpMessage*, ISrsHttpHandler**) (srs_protocol_http_stack.cpp:793)
  at 0x55c2332af048 SrsHttpServer::serve_http(ISrsHttpResponseWriter*, ISrsHttpMessage*) (srs_app_http_conn.cpp:539)
  at 0x55c232fc2b00 SrsHttpAuthMux::serve_http(ISrsHttpResponseWriter*, ISrsHttpMessage*) (srs_protocol_http_stack.cpp:956)
  at 0x55c232fc1f35 SrsHttpCorsMux::serve_http(ISrsHttpResponseWriter*, ISrsHttpMessage*) (srs_protocol_http_stack.cpp:923)
  at 0x55c2332aad8d SrsHttpConn::process_request(ISrsHttpResponseWriter*, ISrsHttpMessage*, int) (srs_app_http_conn.cpp:235)
  at 0x55c2332aa499 SrsHttpConn::process_requests(SrsRequest**) (srs_app_http_conn.cpp:208)
  at 0x55c2332a98f7 SrsHttpConn::do_cycle() (srs_app_http_conn.cpp:162)
  at 0x55c2332a8d5c SrsHttpConn::cycle() (srs_app_http_conn.cpp:107)
  at 0x55c2334d7ee6 SrsFastCoroutine::cycle() (srs_app_st.cpp:285)
  at 0x55c2334d803b SrsFastCoroutine::pfn(void*) (srs_app_st.cpp:300)
  at 0x55c23355672d _st_thread_main (sched.c:380)
  at 0x55c233557062 st_thread_create (sched.c:666)
  at 0x50400059b8cf
Freed by thread T1 here:
  at 0x7fb8afe01d07 operator delete(void*) (asan_new_delete.cpp:160)
Previously allocated by thread T1 here:
  at 0x7fb8afe011e7 operator new(unsigned long) (asan_new_delete.cpp:99)
Thread T1 created by T0 here:
  at 0x7fb8afda3685 __interceptor_pthread_create (asan_interceptors.cpp:216)
  at 0x55c23353700a SrsThreadPool::execute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, SrsCplxError* (*)(void*), void*) (srs_app_threads.cpp:679)
  at 0x55c233554d09 run_in_thread_pool() (srs_main_server.cpp:475)
  at 0x55c233554744 run_directly_or_daemon() (srs_main_server.cpp:414)
  at 0x55c233551fb0 do_main(int, char**, char**) (srs_main_server.cpp:242)
  at 0x55c2335522d1 main (srs_main_server.cpp:253)
  at 0x7fb8af818d8f __libc_start_call_main (libc_start_call_main.h:58)


srs_log_tank        console;
daemon              off;
listen 1935;
server_id srs-dev;

stats {
    enabled off;
    network   0;
}

rtc_server {
    enabled on;
    protocol udp;
    candidate 172.26.2.196;
    listen 8001;
    tcp {
        enabled off;
        listen 8001;
    }
}

http_api {
    enabled on;
    listen 127.0.0.1:1986;
}

http_server {
    enabled on;
    listen 127.0.0.1:8081;
}

vhost small {
    enabled on;

    http_remux {
        enabled     on;
        has_audio on;
        has_video on;
        guess_has_av off;
        mount       /[app]/[stream]_sm.flv;
    }

}

vhost __defaultVhost__ {

    forward {
        enabled on;
        backend https://exampla.com/hook/srs/forward;
    }

    http_hooks {
        enabled on;
        on_publish "https://exampla.com/hook/srs/publish";
        on_unpublish "https://exampla.com/hook/srs/unpublish";
    }

    play{
        #atc on;
        time_jitter off; #android?
        #mw_latency      100;
        gop_cache       off;
        queue_length    10;
    }

    hls {
        enabled         on;
	hls_ctx off;
	hls_ts_ctx off;
        hls_dispose 10;
        hls_fragment    3;
        hls_window      60;
        #hls_path        /streams/hls;
        hls_path        ./objs/nginx/html/hls;
        hls_m3u8_file   [stream].m3u8;
        hls_ts_file     [stream]-[seq].ts;

    }

    http_remux {
        enabled     on;
        has_audio on;
        has_video on;
        guess_has_av off; 
        mount       /[app]/[stream].flv;
    }

    rtc {
        enabled     on;
        #rtmp_to_rtc on;
        rtc_to_rtmp on;
        pli_for_rtmp 2.0;
    }

}

Answer 1 · 2025-09-13T12:13:06.000Z

SRS 5 is out of support. Please upgrade to SRS 6.

Answer 2 · 2025-09-15T07:30:08.000Z

Version 6 is unfortunately not stable. It has errors that prevent it from being used. In general, no version works stably. Errors and crashes. Let's make at least one version truly stable and start with version 6! First of all, we need to get rid of endless crashes!!!

All the innovations are worth nothing if the process crashes once a day when using RTC!

Answer 3 · 2025-09-15T14:09:07.000Z

I have fixed the crash in SRS 6, if you got one, please report it and I will help fix it.