Ubuntu
mt-daapd package

mt-daapd server crashes when requesting a scanpa

Bug #210048 reported by Jeremy Kerr on 2008-04-01

Affects		Status	Importance	Assigned to	Milestone
	mt-daapd (Debian)	Fix Released	Unknown	debbugs #493756
	mt-daapd (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: mt-daapd

By requesting a metadata scan through mt-daapd's web interface, I can crash the mt-daapd process.

I see the following in the log output (using 'sudo mt-daapd -D webserver -d -f'):

Thread 12:
Request: POST /xml-rpc HTTP/1.1
Thread 12: Read: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.25-rc7-p2; X11; ppc) KHTML/3.5.9 (like Gecko) (Kubuntu package 4:3.5.9-0ubuntu5)
Thread 12: Adding header *User-Agent=Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.25-rc7-p2; X11; ppc) KHTML/3.5.9 (like Gecko) (Kubuntu package 4:3.5.9-0ubuntu5)*
Added *User-Agent=Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.25-rc7-p2; X11; ppc) KHTML/3.5.9 (like Gecko) (Kubuntu package 4:3.5.9-0ubuntu5)*
Thread 12: Read: Referer: http://pokey:3689/index.html
Thread 12: Adding header *Referer=http://pokey:3689/index.html*
Added *Referer=http://pokey:3689/index.html*
Thread 12: Read: Pragma: no-cache
Thread 12: Adding header *Pragma=no-cache*
Added *Pragma=no-cache*
Thread 12: Read: Cache-control: no-cache
Thread 12: Adding header *Cache-control=no-cache*
Added *Cache-control=no-cache*
Thread 12: Read: Accept: text/html, image/jpeg, image/png, text/*, image/*, */*
Thread 12: Adding header *Accept=text/html, image/jpeg, image/png, text/*, image/*, */**
Added *Accept=text/html, image/jpeg, image/png, text/*, image/*, */**
Thread 12: Read: Accept-Encoding: x-gzip, x-deflate, gzip, deflate
Thread 12: Adding header *Accept-Encoding=x-gzip, x-deflate, gzip, deflate*
Added *Accept-Encoding=x-gzip, x-deflate, gzip, deflate*
Thread 12: Read: Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5
Thread 12: Adding header *Accept-Charset=utf-8, utf-8;q=0.5, *;q=0.5*
Added *Accept-Charset=utf-8, utf-8;q=0.5, *;q=0.5*
Thread 12: Read: Accept-Language: en
Thread 12: Adding header *Accept-Language=en*
Added *Accept-Language=en*
Thread 12: Read: Host: pokey:3689
Thread 12: Adding header *Host=pokey:3689*
Added *Host=pokey:3689*
Thread 12: Read: connection: close
Thread 12: Adding header *connection=close*
Added *connection=close*
Thread 12: Read: x-prototype-version: 1.4.0
Thread 12: Adding header *x-prototype-version=1.4.0*
Added *x-prototype-version=1.4.0*
Thread 12: Read: x-requested-with: XMLHttpRequest
Thread 12: Adding header *x-requested-with=XMLHttpRequest*
Added *x-requested-with=XMLHttpRequest*
Thread 12: Read: Content-type: application/x-www-form-urlencoded
Thread 12: Adding header *Content-type=application/x-www-form-urlencoded*
Added *Content-type=application/x-www-form-urlencoded*
Thread 12: Read: Authorization: Basic YWRtaW46ZGVhbDlwcmljeQ==
Thread 12: Adding header *Authorization=Basic YWRtaW46ZGVhbDlwcmljeQ==*
Added *Authorization=Basic YWRtaW46ZGVhbDlwcmljeQ==*
Thread 12: Read: Connection: Keep-Alive
Thread 12: Adding header *Connection=Keep-Alive*
Updating Connection from close to Keep-Alive
Thread 12: Out of memory
Aborting
Rendezvous socket closed (daap server crashed?) Aborting.
Aborting

Fix:

It looks like the browser is sending two 'Connection:' headers (one in lowercase). This is triggerring a bug where the ws_addarg() updates (rather than inserts) a new header. This condition includes an incorrect return value. The caller assumes that the ws_addarg failed, so exits with the out of memory message.

Patch attached, also sent upstream.

Tags:

Revision history for this message

Jeremy Kerr (jk-ozlabs) wrote on 2008-04-01:

Patch to fix return value in ws_addarg Edit (3.8 KiB, text/plain)

Revision history for this message

Daniel T Chen (crimsun) wrote on 2008-12-07:

Is this symptom still reproducible in 8.10 or 9.04?

Changed in mt-daapd:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Adam Buchbinder (adam-buchbinder) wrote on 2008-12-15:

I can't reproduce this on mt-daapd 0.9~r1696.dfsg-2 on Intrepid. I ran the server from the command line (though the syntax is 'sudo mt-daapd -D webserver -d 9 -f', maybe changed since the original report?), and tried (a) telnetting to the server and pasting in the offending headers, and (b) opening the web interface and forcing an update.

Checking the sources, this is because the patch was incorporated in version 0.9~r1696-4. (The bug was also reported to Debian, and patched in their sources first.)