a bug in stunc_resp_handler #2
Description
static void stunc_resp_handler(int err, uint16_t scode, const char *reason,
const struct stun_msg *msg, void *arg)
{
struct ice_conncheck *cc = arg;
struct ice_candpair *pair = cc->pair;
struct trice *icem = cc->icem;
struct stun_attr *attr;
bool success = (err == 0) && (scode == 0);
(void)reason;
if (!icem) {
DEBUG_WARNING("stun response: no icem\n");
}
if (cc->term)
return;
trice_tracef(icem, success ? 32 : 31,
"[%u] Rx %H <--- %H '%u %s'%H\n",
pair->lcand->attr.compid,
trice_cand_print, pair->lcand,
trice_cand_print, pair->rcand,
scode, reason, print_err, &err);
if (err) {
DEBUG_NOTICE("stun response: [%H --> %H] %m\n",
trice_cand_print, pair->lcand,
trice_cand_print, pair->rcand,
err);
trice_candpair_failed(pair, err, scode);
goto out;
}
backtrace:
#0 0xb6c842f4 in stunc_resp_handler (err=110, scode=<optimized out>, reason=<optimized out>, msg=0x0, arg=0x2a2db8) at src/trice/connchk.c:202
cc = 0x2a2db8
pair = 0x38c188
icem = 0x4a65c0
attr = <optimized out>
success = <optimized out>
#1 0xb6e0ef60 in completed (ct=0x449ea8, err=110, scode=0, reason=0x0, msg=0x0) at src/stun/ctrans.c:65
resph = 0xb6c842ad <stunc_resp_handler>
arg = 0x2a2db8
#2 0xb6e0f0b2 in timeout_handler (arg=0x449ea8) at src/stun/ctrans.c:102
ct = 0x449ea8
cfg = 0x4b2950
err = 110
#3 0xb6e35d20 in call_handler (th=0xb6e0efe9 <timeout_handler+8>, arg=0x449ea8) at src/tmr/tmr.c:70
tick = 1560150070939
diff = 0
#4 0xb6e35dda in tmr_poll (tmrl=0xb6f7b678 <global_re+24>) at src/tmr/tmr.c:116
jfs = 1560150070939
#5 0xb6e37600 in re_main (signalh=0xd365 <handle_signal_handler>) at src/main/main.c:997
re = 0xb6f7b660 <global_re>
err = 0
(gdb) print *((struct ice_candpair *)(*(struct ice_conncheck *)0x2a2db8).pair)
$9 = {le = {prev = 0x0, next = 0x0, list = 0x0, data = 0x0}, icem = 0x0, comp = 0x0, lcand = 0x0, rcand = 0x0, def = false, valid = false, nominated = false, state = ICE_CANDPAIR_FROZEN,
pprio = 0, ct_conn = 0x0, err = 0, scode = 0}
(gdb) print *((struct trice *)(*(struct ice_conncheck *)0x2a2db8).icem)
$10 = {conf = {nom = ICE_NOMINATION_AGGRESSIVE, debug = false, trace = false, ansi = true, enable_prflx = true}, lrole = ICE_ROLE_CONTROLLED, tiebrk = 11420834005876552669,
lufrag = 0x1ec118 "bQOuno5QYlhdyzAq", lpwd = 0x1796e0 "000bkD20U7300eFHK2Q1B9LevVF2NjiW", rufrag = 0x26aed8 "m5qT", rpwd = 0x47bf8 "zTnoJq0jisUe6oCYQzRr9JtS", lcandl = {head = 0x44d4fc,
tail = 0x274cfc}, rcandl = {head = 0x14e36c, tail = 0x2790a4}, checkl = {head = 0x1c45c0, tail = 0x1eb8e0}, validl = {head = 0x0, tail = 0x0}, reqbufl = {head = 0x0, tail = 0x0},
checklist = 0x324520, connl = {head = 0x0, tail = 0x0}, sw = 0x0}
pair->lcand is 0x0, and we use it in :
trice_tracef(icem, success ? 32 : 31,
"[%u] Rx %H <--- %H '%u %s'%H\n",
pair->lcand->attr.compid,
trice_cand_print, pair->lcand,
trice_cand_print, pair->rcand,
scode, reason, print_err, &err);