Closed Bug 1736224 Opened 3 years ago Closed 2 years ago

Crash in [@ sctp_setopt]

Categories

(Core :: WebRTC, defect)

Product:
Core
Component:
WebRTC
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 109+ fixed
firefox107 --- wontfix
firefox108 --- fixed

People

(Reporter: jesup, Assigned: bwc)

References

Details

(Keywords: crash, csectype-wildptr, sec-high, Whiteboard: [post-critsmash-triage][adv-main108+r][adv-esr102.7+r])

Crash Data

Wildptr crashes on sctp creation.

Crash report: https://crash-stats.mozilla.org/report/index/7cbbcbc2-51f7-4e3b-a919-3af660210920

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll sctp_setopt netwerk/sctp/src/netinet/sctp_usrreq.c:4532
1 xul.dll usrsctp_setsockopt netwerk/sctp/src/user_socket.c:2166
2 xul.dll mozilla::DataChannelConnection::Init netwerk/sctp/datachannel/DataChannel.cpp:537
3 xul.dll static mozilla::DataChannelConnection::Create netwerk/sctp/datachannel/DataChannel.cpp:435
4 xul.dll mozilla::PeerConnectionImpl::EnsureDataConnection dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:856
5 xul.dll mozilla::PeerConnectionImpl::CreateDataChannel dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:1086
6 xul.dll mozilla::PeerConnectionImpl::CreateDataChannel dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:1069
7 xul.dll mozilla::dom::PeerConnectionImpl_Binding::createDataChannel dom/bindings/PeerConnectionImplBinding.cpp:1610
8 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3299
9 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:489

Do you have a way to reproduce the problem?

No - this is from crash reports from the field. I have URLs from the one user who caused the spike; most are variations on https://levsha.livejournal.com/feed/ , but others are from a series of randomish sites (which may be using datachannels for content delivery, etc)

Keywords: stalled
No longer blocks: webrtc-triage

Library update taking place in bug 1795697

Keywords: stalled

Hey Jim, I'd like to assign this to you to track the library update in bug 1795697 and mark this bug resolved when the lib update has landed.

Assignee: nobody → jmathies
Assignee: jmathies → nobody
Depends on: CVE-2022-46871

Hey Byron, I'd like to assign this to you since you landed the sctp library update in Fx 108 (ref: bug 1795697); I think this is one of 2 bugs that we believe (fingers crossed) will be fixed when the library finishes rolling out Release. If you can keep an eye on this and verify that we don't see new crashes for a while so that we can close it, I'd really appreciate it. And if we do see crashes, please ping Michael Tüxen for debugging help. (I'm going to cross-post this message to the other bug.) Thanks!

Assignee: nobody → docfaraday

Haven't seen this since September, and we've recently updated this library. Closing this out.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Group: media-core-security → core-security-release
status-firefox107: --- → wontfix
status-firefox108: --- → fixed
status-firefox-esr102: --- → wontfix
Target Milestone: --- → 108 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main108+r]
tracking-firefox-esr102: --- → 109+
Whiteboard: [post-critsmash-triage][adv-main108+r] → [post-critsmash-triage][adv-main108+r][adv-esr102.7+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.