Bug 29900 - crashes on a certain request (from Android)
Summary: crashes on a certain request (from Android)
Status: CLOSED WORKSFORME
Alias: None
Product: Sisyphus
Classification: Development
Component: polipo (show other bugs)
Version: unstable
Hardware: all Linux
: P3 normal
Assignee: Nobody's working on this, feel free to take it
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-20 19:21 MSK by Ivan Zakharyaschev
Modified: 2014-10-06 05:54 MSK (History)
1 user (show)

See Also:

Attachments
polipo-log.1395243368.31949_android-backup-post (1.07 KB, application/octet-stream)
2014-03-20 19:21 MSK, Ivan Zakharyaschev 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ivan Zakharyaschev 2014-03-20 19:21:39 MSK 
Created attachment 6066 [details]
polipo-log.1395243368.31949_android-backup-post

polipo-1.0.4-alt1.1.qa1

My polipo is configured to listen on port 8117 and to forward connections through TOR.

I've discovered that on some requests from Android, it crashes. Here is a report, and the request is attached (polipo-log.1395243368.31949_android-backup-post):

[imz@localhost after-core-2]$ /sbin/service polipo status
polipo is running
[imz@localhost after-core-2]$ netcat 0 8117 < polipo-log.1395243368.31949_android-backup-post
HTTP/1.1 405 Method not allowed
Connection: keep-alive
Date: Thu, 20 Mar 2014 15:14:04 GMT
Content-Type: text/html
Content-Length: 440
Expires: 0
Cache-Control: no-cache
Pragma: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>Proxy error: 405 Method not allowed.</title>
</head><body>
<h1>405 Method not allowed</h1>
<p>The following error occurred while trying to access <strong>/backup</strong>:<br><br>
<strong>405 Method not allowed</strong></p>
<hr>Generated Thu, 20 Mar 2014 19:14:04 MSK by Polipo on <em>vaio:8117</em>.
</body></html>
HTTP/1.1 405 Method not allowed
Connection: keep-alive
Date: Thu, 20 Mar 2014 15:14:04 GMT
Content-Type: text/html
Content-Length: 440
Expires: 0
Cache-Control: no-cache
Pragma: no-cache

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>Proxy error: 405 Method not allowed.</title>
</head><body>
<h1>405 Method not allowed</h1>
<p>The following error occurred while trying to access <strong>/backup</strong>:<br><br>
<strong>405 Method not allowed</strong></p>
<hr>Generated Thu, 20 Mar 2014 19:14:04 MSK by Polipo on <em>vaio:8117</em>.
</body></html>
[imz@localhost after-core-2]$ /sbin/service polipo status
polipo is dead, but stale PID file exists
[imz@localhost after-core-2]$ 

The request is a kind of a POST request (since it's binary and not plain text, you'd better take it from the attachement):

[imz@localhost after-core-2]$ cat polipo-log.1395243368.31949_android-backup-post
POST /backup HTTP/1.1
Content-Length: 942
Host: android.clients.google.com
Connection: Keep-Alive
User-Agent: Android-Backup/1.0 (GT-P7500 HMJ37)
                                                                                                                                                                                                                Íùƚö3com.android.providers.settings2Ù
■CONFIG_WIFIÆ
proxySettingsNONEid<UͯeostDHCP
                        ipAssignmentSTATIC
proxySettingsNONEid²·eos254.178.30dns169.254.178.30ss
proxySettingsNONEidíÛeosipAssignmentDHCP
proxySettingsNONEidùleosipAssignmentDHCP
proxySettingsNONEidVk1neosAssignmentDHCP
proxySettingsNONEid°]zfeosipAssignmentDHCP
proxySettingsSTATIC	proxyHostnmentDHCP
exclusionLisgrani.ruidÆÔpeos     192.168.1.2	proxyPort¶
proxySettingsNONEidmeosr DQAAAMoAAADhMjZo4Hm2tf0w2NgZod1o1Rt4QIOJb5u6ThuQLfV58uZox5-UclYXvwOLiLfRLh73XoxfW4n-fEegFKwaKG5i9Bha0Un65H47NVK4iyDNp9DLsp-DGM-pDvnr11ua_xjkDh80rHR84fiIjoiIktN_ItFYAWjqog-Vdy6N6dREc2W-JPNBbigyPGlxDo0xzpnwZvqKDM24eheEHp1Xo1ACbN9SJPcCGCYMebmUvaN8wJOAsipbA6kx192QedhLBquZJt8p8El9w94UQm4GItcx[imz@localhost after-core-2]$ 

A backtrace:

[imz@localhost after-core-2]$ gdb -c core.polipo.30971 -e /usr/bin/polipo 
GNU gdb (GDB) 7.5.0.20121002-alt3 (ALT Linux)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-alt-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
[New LWP 30971]
Core was generated by `/usr/bin/polipo'.
Program terminated with signal 6, Aborted.
#0  0xb7e210c5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0xb7e210c5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0xb7e228b3 in __GI_abort () at abort.c:90
#2  0xb7e19fd6 in __assert_fail_base (fmt=0xb7f2a964 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x80690bf "!object->chunks[i].locked", file=file@entry=0x8068f3c "object.c", 
    line=line@entry=655, function=function@entry=0x80692ec "destroyObject") at assert.c:92
#3  0xb7e1a087 in __GI___assert_fail (assertion=0x80690bf "!object->chunks[i].locked", file=0x8068f3c "object.c", line=655, function=0x80692ec "destroyObject") at assert.c:101
#4  0x0804ed8e in ?? ()
#5  0x080595d8 in ?? ()
#6  0x08059c79 in ?? ()
#7  0x0804c00e in ?? ()
#8  0x0804c386 in ?? ()
#9  0x0804c5c1 in ?? ()
#10 0x08059e29 in ?? ()
#11 0x08058c74 in ?? ()
#12 0x08059c79 in ?? ()
#13 0x0804c00e in ?? ()
#14 0x0804c386 in ?? ()
#15 0x0804c5c1 in ?? ()
#16 0x08059e29 in ?? ()
#17 0x08059e52 in ?? ()
#18 0x0805887d in ?? ()
#19 0x08058bd4 in ?? ()
#20 0x0804b63b in ?? ()
#21 0x0804b810 in ?? ()
#22 0x08049d0c in ?? ()
#23 0xb7e0c605 in __libc_start_main (main=0x1, argc=134520116, ubp_av=0x0, init=0x8049d55, fini=0x8049970, rtld_fini=0x1, stack_end=0xbf890f04) at libc-start.c:258
#24 0xb7facfc4 in _DYNAMIC () from /lib/ld-linux.so.2
#25 0x00000001 in ?? ()
#26 0x08049d34 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) 

There seems to be nothing more intersting in the logs, even after raising polipo's log level to 0xFF.
Comment 1 Ivan Zakharyaschev 2014-03-20 19:26:00 MSK 
According to the mailing list http://sourceforge.net/p/polipo/mailman/polipo-users/?style=threaded&limit=250, there is a newer version of polipo in the HEAD of their VCS. It should be tested. They haven't yet made a newer release though.
Comment 2 Ivan Zakharyaschev 2014-03-21 14:26:49 MSK 
I was able to find out the "bad" request and to write this report, after I learned how to turn on core dumps in my system (http://www.altlinux.org/Features/Core ), and invented a way to intercept and log the requests going to polipo (with a combination of xinetd, tee, and netcat; simply using netcat, and tee, and netcat was not that good because it failed to listen to "parallel" incoming connections).
Comment 3 Ivan Zakharyaschev 2014-03-23 02:32:05 MSK 
Correct and complete backtrace:

$ gdb /usr/bin/polipo core.polipo.30971 
GNU gdb (GDB) 7.5.0.20121002-alt3 (ALT Linux)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-alt-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/polipo...Reading symbols from /usr/lib/debug/usr/bin/polipo.debug...done.
done.
[New LWP 30971]
Core was generated by `/usr/bin/polipo'.
Program terminated with signal 6, Aborted.
#0  0xb7e210c5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0xb7e210c5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0xb7e228b3 in __GI_abort () at abort.c:90
#2  0xb7e19fd6 in __assert_fail_base (fmt=0xb7f2a964 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x80690bf "!object->chunks[i].locked", file=file@entry=0x8068f3c "object.c", 
    line=line@entry=655, function=function@entry=0x80692ec <__PRETTY_FUNCTION__.7915> "destroyObject") at assert.c:92
#3  0xb7e1a087 in __GI___assert_fail (assertion=0x80690bf "!object->chunks[i].locked", file=0x8068f3c "object.c", line=655, function=0x80692ec <__PRETTY_FUNCTION__.7915> "destroyObject") at assert.c:101
#4  0x0804ed8e in destroyObject (object=0x8080c08) at object.c:639
#5  0x0804eee7 in releaseObject (object=0x8080c08) at object.c:291
#6  0x080595d8 in httpClientFinish (connection=0x807d350, s=0) at client.c:195
#7  0x08059c79 in httpErrorNocloseStreamHandler (status=0, event=0x807fa38, srequest=0x807fa48) at client.c:602
#8  0x0804c00e in do_scheduled_stream (status=0, event=0x807fa38) at io.c:284
#9  0x0804c386 in schedule_stream (operation=1, fd=5, offset=0, header=0x0, hlen=0, 
    buf=0xb7d81000 "HTTP/1.1 405 Method not allowed\r\nConnection: keep-alive\r\nDate: Wed, 19 Mar 2014 15:36:08 GMT\r\nContent-Type: text/html\r\nContent-Length: 440\r\nExpires: 0\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n<!D"..., len=637, buf2=0x0, len2=0, buf3=0x0, len3=0, buf_location=0x0, handler=0x8059c5e <httpErrorNocloseStreamHandler>, data=0x807d350) at io.c:205
#10 0x0804c5c1 in do_stream (operation=1, fd=5, offset=0, 
    buf=0xb7d81000 "HTTP/1.1 405 Method not allowed\r\nConnection: keep-alive\r\nDate: Wed, 19 Mar 2014 15:36:08 GMT\r\nContent-Type: text/html\r\nContent-Length: 440\r\nExpires: 0\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n<!D"..., len=637, handler=0x8059c5e <httpErrorNocloseStreamHandler>, data=0x807d350) at io.c:69
#11 0x08059e29 in httpClientRawErrorHeaders (connection=0x807d350, code=405, message=0x80819c8, close=0, headers=0x0) at client.c:490
#12 0x08058c74 in httpClientNoticeRequest (request=0x80818b0, novalidate=1) at client.c:1109
#13 0x08059c79 in httpErrorNocloseStreamHandler (status=0, event=0x80813f0, srequest=0x8081400) at client.c:602
#14 0x0804c00e in do_scheduled_stream (status=0, event=0x80813f0) at io.c:284
#15 0x0804c386 in schedule_stream (operation=1, fd=5, offset=0, header=0x0, hlen=0, 
    buf=0xb7d81000 "HTTP/1.1 405 Method not allowed\r\nConnection: keep-alive\r\nDate: Wed, 19 Mar 2014 15:36:08 GMT\r\nContent-Type: text/html\r\nContent-Length: 440\r\nExpires: 0\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n<!D"..., len=637, buf2=0x0, len2=0, buf3=0x0, len3=0, buf_location=0x0, handler=0x8059c5e <httpErrorNocloseStreamHandler>, data=0x807d350) at io.c:205
#16 0x0804c5c1 in do_stream (operation=1, fd=5, offset=0, 
    buf=0xb7d81000 "HTTP/1.1 405 Method not allowed\r\nConnection: keep-alive\r\nDate: Wed, 19 Mar 2014 15:36:08 GMT\r\nContent-Type: text/html\r\nContent-Length: 440\r\nExpires: 0\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n<!D"..., len=637, handler=0x8059c5e <httpErrorNocloseStreamHandler>, data=0x807d350) at io.c:69
#17 0x08059e29 in httpClientRawErrorHeaders (connection=0x807d350, code=405, message=0x80819c8, close=0, headers=0x0) at client.c:490
#18 0x08059e52 in httpClientRawError (connection=0x807d350, code=405, message=0x80819c8, close=0) at client.c:503
#19 0x0805887d in httpServeObject (connection=0x807d350) at client.c:1708
#20 0x08058bd4 in httpServeObjectDelayed (event=0x8080140) at client.c:1830
#21 0x0804b63b in runTimeEventQueue () at event.c:492
#22 0x0804b810 in eventLoop () at event.c:654
#23 0x08049d0c in main (argc=1, argv=0xbf890f04) at main.c:165
(gdb)
Comment 4 real@altlinux.org 2014-09-20 16:59:26 MSK 
В сизифе уже версия 1.1.1. Проблема ещё актуальна?
Comment 5 real@altlinux.org 2014-10-06 05:54:11 MSK 
Раз молчание, значит, уже неактуально.