Check size of tcpFragmentList before delete fragment #1346
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## dev #1346 +/- ##
==========================================
+ Coverage 82.34% 82.37% +0.03%
==========================================
Files 163 163
Lines 20937 20939 +2
Branches 7906 7910 +4
==========================================
+ Hits 17241 17249 +8
+ Misses 3025 3017 -8
- Partials 671 673 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
I add a new function to specially test that case, appologize for the ugly code |
There was a problem hiding this comment.
In order for the test to run you need to add PTF_RUN_TEST here:
PcapPlusPlus/Tests/Pcap++Test/main.cpp
Line 302 in e48be80
| // tcpReassemblyTestManuallyCloseConnOnMesgReady() | ||
| // ~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| static bool tcpReassemblyTestManuallyCloseConnOnMesgReady(const std::vector<pcpp::RawPacket>& packetStream, TcpReassemblyMultipleConnStatsWithReassembly& results, bool monitorOpenCloseConns, bool closeConnsManually) |
There was a problem hiding this comment.
I think we can make this method simpler - I don't think that monitorOpenCloseConns and closeConnsManually are needed...
| flowKeysList.clear(); | ||
| } | ||
|
|
||
| pcpp::TcpReassembly *tcpReassmbly = nullptr; |
There was a problem hiding this comment.
Maybe instead of duplicating the entire struct we can just inherit from TcpReassemblyMultipleConnStats and add pcpp::TcpReassembly *tcpReassmbly?
Or another option is to add pcpp::TcpReassembly *tcpReassmbly to TcpReassemblyMultipleConnStats
|
|
are you able to reproduce it? adding the root cause in the test is helpful for the edge cases. |
Yes, and my new commit fixes it, thought I think this error shouldn't be caused... |
|
I am using TcpReassembly and it crashes with double free / invalid pointer in checkOutOfOrderFragments, but only on ARM, interestingly. Looking at this, it seems this PR should fix crashes I see. I have a pcap with recorded traffic, but unfortunelly I cannot share it. But I could help you with testing. |
That would be great, would you like to help test the PR with your pcap file on the ARM machine? |
|
Yes, the bug happens when you call closeConnection from OnMessageReadyCallback. Use build with address sanitizers (or valgrind?). I tried you branch and I did not see crash |
|
@davidbolvansky could you please furnish a concise reproducible code sample illustrating the issue you're encountering? |
|
As I said the bug happens when you call tcpReassembly.closeConnection(connData.flowKey) from OnMessageReadyCallback - OnMessageEndCallback is called for first time. Then OnMessageEndCallback is called again, due normal fin. This second invocation triggers double free. |
Tests/Pcap++Test/TestDefinition.h
Outdated
| @@ -64,6 +64,7 @@ PTF_TEST_CASE(TestTcpReassemblySanity); | |||
| PTF_TEST_CASE(TestTcpReassemblyRetran); | |||
| PTF_TEST_CASE(TestTcpReassemblyMissingData); | |||
| PTF_TEST_CASE(TestTcpReassemblyOutOfOrder); | |||
| PTF_TEST_CASE(TestTcpReassemblyOutOfOrderManuallyCloseConnOnMesgReady); | |||
There was a problem hiding this comment.
Can we make the test name shorter?
Maybe: TestTcpReassemblyOOOCloseConn
There was a problem hiding this comment.
Is TestTcpReassemblyOutOfOrderWithManualClose fine?
There was a problem hiding this comment.
We should probably change that, but we currently have a hard-coded limit of 35 characters for test names, here is an example:
Tests that have a longer name will result in a weird UI print, something like:
...
...
TestTcpReassemblyMalformedPkts : PASSED
TestTcpReassemblyMultipleConns : PASSED
TestTcpReassemblyIPv6 : PASSED
TestTcpReassemblyIPv6MultConns : PASSED
TestTcpReassemblyIPv6_OOO : PASSED
TestTcpReassemblyCleanup : PASSED
TestTcpReassemblyMaxOOOFrags : PASSED
TestTcpReassemblyMaxSeq : PASSED
TestTcpReassemblyDisableOOOCleanup : PASSED
TestTcpReassemblyOutOfOrderWithManualClose: PASSED
...
|
@MCredbear can you please address the remaining comments so we can get the PR merged? |
…tTcpReassemblyOutOfOrderWithManualClose
|
@MCredbear please also address the previous comment: And fix the pre-commit issue: https://github.com/seladb/PcapPlusPlus/actions/runs/8772352536/job/24071180251?pr=1346 |
|
@MCredbear the new test fails in CI 😕 |
|
Emm, I don't know what causes the new CI test error |
|
@MCredbear In output side there are three different HTTP payloads with |
| @@ -64,6 +64,7 @@ PTF_TEST_CASE(TestTcpReassemblySanity); | |||
| PTF_TEST_CASE(TestTcpReassemblyRetran); | |||
| PTF_TEST_CASE(TestTcpReassemblyMissingData); | |||
| PTF_TEST_CASE(TestTcpReassemblyOutOfOrder); | |||
| PTF_TEST_CASE(TestTcpReassemblyOOOWithManualClose); | |||
There was a problem hiding this comment.
I don't like the abbreviation, not straightforward, I would recommend TestTcpReassemblyOutOfOrderWithManualClose
There was a problem hiding this comment.
The problem is that we currently have a limit of 35 chars per test (you can see it everywhere in PcppTestFramework.h so longer test names will look misaligned when running them. Perhaps we can remove this limitation and automatically detect the longest test name, but I'm not sure it'd be straightforward to do 🤔
We can also extend the 35 limit to a larger number...
There was a problem hiding this comment.
@seladb maybe we should increase the number? TestTcpReassemblyOutOfOrderWithManualClose length is 42, so I guess changing it to 50 is enough.
| tcpReassembly->reassemblePacket(packet); | ||
| } | ||
|
|
||
| //for(TcpReassemblyMultipleConnStats::Stats::iterator iter = results.stats.begin(); iter != results.stats.end(); iter++) |
|
@MCredbear would you like to finish the PR? |
Fragment might be delete after calling m_OnMessageReadyCallback (eg. call TcpReassembly::closeConnection in m_OnMessageReadyCallback), so we need to check if it's already deleted .