#234 Segfault

v1.0 (example)
closed-fixed
None
5
2014-11-18
2014-04-06
No

Running minidlna 1.1.2 Packman RPM on openSUSE 11.4 64 bit worked fine at first but now the daemon segfaults shortly after startup.

Changes between the last time I'm sure it worked and the first time I noticed it crashing:
- software update on DLNA client Bang & Olufsen Beoplay V1
- edited IDv3 tags on a lot of MP3 files in the media directory
- regular openSUSE online updates

GDB backtrace:

Program received signal SIGSEGV, Segmentation fault.
set_filter_flags (filter=0x0, h=<value optimized out>) at upnpsoap.c:354
354                     if (strcmp(filter, "*") == 0 && samsung) {
(gdb) where
#0  set_filter_flags (filter=0x0, h=<value optimized out>) at upnpsoap.c:354
#1  0x00000000004119d7 in BrowseContentDirectory (h=0x8d77e0,
    action=<value optimized out>) at upnpsoap.c:1154
#2  0x000000000040c44b in Process_upnphttp (h=0x8d77e0) at upnphttp.c:1090
#3  0x0000000000407d8b in main (argc=<value optimized out>,
    argv=<value optimized out>) at minidlna.c:1223
(gdb) frame 1
#1  0x00000000004119d7 in BrowseContentDirectory (h=0x8d77e0,
    action=<value optimized out>) at upnpsoap.c:1154
1154            args.filter = set_filter_flags(Filter, h);
(gdb) print h->req_contentoff
$16 = 248
(gdb) print h->req_contentlen
$15 = 452
(gdb) printf "%.700s\n", h->req_buf
POST /ctl/ContentDir HTTP/1.1
Accept: */*
User-Agent: B&O DLNAClient1 DLNADOC/1.50
Host: 192.168.59.102:8200
SOAPACTION: "urn:schemas-upnp-org:service:ContentDirectory:1#Browse"
CONTENT-TYPE:  text/xml; charset="utf-8"
Content-Length: 452

< ?xml version="1.0" encoding="utf-8"?><s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><u:Browse xmlns:u="urn:schemas-upnp-org:service:ContentDirectory:1"><ObjectID>1$6$5$1$0</ObjectID><BrowseFlag>BrowseMetadata</BrowseFlag><Filter></Filter><StartingIndex>0</StartingIndex><RequestedCount>1</RequestedCount><SortCriteria></SortCriteria></u:Browse></s:Body></s:Envelope>
(gdb) print *data->head->lh_first
$20 = {entries = {le_next = 0x914550, le_prev = 0x7fffffffe0d0},
  name = "RequestedCount", '\000' <repeats 49 times>,
  value = 0x90ff30 "PE\221"}
(gdb) print *data->head->lh_first->entries->le_next
$21 = {entries = {le_next = 0x96ffe0, le_prev = 0x90ff30},
  name = "StartingIndex", '\000' <repeats 50 times>,
  value = 0x914550 "\340\377\226"}
(gdb) print *data->head->lh_first->entries->le_next->entries->le_next
$22 = {entries = {le_next = 0x9e5380, le_prev = 0x914550},
  name = "BrowseFlag", '\000' <repeats 53 times>, value = 0x96ffe0 "\200S\236"}
(gdb) print *data->head->lh_first->entries->le_next->entries->le_next->entries->le_next
$23 = {entries = {le_next = 0x9e98b0, le_prev = 0x96ffe0},
  name = "ObjectID", '\000' <repeats 55 times>,
  value = 0x9e5380 "\260\230\236"}
(gdb) print *data->head->lh_first->entries->le_next->entries->le_next->entries->le_next->entries->le_next
$24 = {entries = {le_next = 0x0, le_prev = 0x9e5380},
  name = "rootElement\000Sing0\000\000\000\000\000\000\000@\000\000\000\000\000\000\000\240S\236\000\000\000\000\000/data/Music/Wishful Sing",
  value = 0x9e98b0 ""}
(gdb)

(Note: The blank after the leading left angle bracket of the XML string isn't present in the original GDB output. I inserted it because with the opening XML tag intact, the preview only showed a cryptic sequence of letters instead of my text from that point on. Apparently this ticket system interprets some XML even inside text quoted as source code.)

It looks like BrowseContentDirectory() is not prepared to handle a request with missing or empty <Filter> entity.

Discussion

  • Tilman Schmidt

    Tilman Schmidt - 2014-04-06

    Proposed patch, untested:

    --- minidlna-1.1.2/upnpsoap.c.orig      2014-03-07 01:30:25.000000000 +0100
    +++ minidlna-1.1.2/upnpsoap.c   2014-04-06 15:58:37.000000000 +0200
    @@ -351,7 +351,7 @@
            int samsung = client_types[h->req_client].flags & FLAG_SAMSUNG;
    
            if( !filter || (strlen(filter) <= 1) ) {
    -               if (strcmp(filter, "*") == 0 && samsung) {
    +               if (filter && strcmp(filter, "*") == 0 && samsung) {
                            return 0xFFFFFFFF;  /* We want FILTER_SEC_DCM_INFO */
                    } else {
                            /* Not the full 32 bits.  Skip vendor-specific stuff by default. */
    
     
  • Tilman Schmidt

    Tilman Schmidt - 2014-04-06

    Seems to work fine with the patch.

     
  • Justin Maggard

    Justin Maggard - 2014-04-18

    A fix for this has been committed to git master.

     
  • Justin Maggard

    Justin Maggard - 2014-04-18
    • status: open --> closed-fixed
    • assigned_to: Justin Maggard
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks