Null-dereference READ in cricket::SctpTransport::ConnectTransportChannelSignals |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6095438734950400 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000048 Crash State: cricket::SctpTransport::ConnectTransportChannelSignals cricket::SctpTransport::SetTransportChannel webrtc::JsepTransportController::HandleRejectedContent Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=547361:547362 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6095438734950400 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 3 2018
,
Apr 3 2018
,
Apr 3 2018
The following revision refers to this bug: https://webrtc.googlesource.com/src.git/+/644fde40a9c3299efb437680d8f4d1f4889a9375 commit 644fde40a9c3299efb437680d8f4d1f4889a9375 Author: Zhi Huang <zhihuang@webrtc.org> Date: Tue Apr 03 03:04:07 2018 Add nullptr check in SctpTransport. In previous implementation, the SctpTransport always assumes the DtlsTransport underneath is non-null, which is not true after switching to new JsepTransportController model. This CL adds nullptr when connecting/disconnecting the SctpTransport with the DtlsTransport. The "channel" related methods and variables are also renamed. Bug: chromium:827917, chromium:828220 Change-Id: I95aa2900d23b0885f45500e2c53def771abdccad Reviewed-on: https://webrtc-review.googlesource.com/66160 Commit-Queue: Zhi Huang <zhihuang@webrtc.org> Reviewed-by: Taylor Brandstetter <deadbeef@webrtc.org> Cr-Commit-Position: refs/heads/master@{#22700} [modify] https://crrev.com/644fde40a9c3299efb437680d8f4d1f4889a9375/media/sctp/sctptransport.cc [modify] https://crrev.com/644fde40a9c3299efb437680d8f4d1f4889a9375/media/sctp/sctptransport.h [modify] https://crrev.com/644fde40a9c3299efb437680d8f4d1f4889a9375/media/sctp/sctptransport_unittest.cc [modify] https://crrev.com/644fde40a9c3299efb437680d8f4d1f4889a9375/media/sctp/sctptransportinternal.h [modify] https://crrev.com/644fde40a9c3299efb437680d8f4d1f4889a9375/pc/peerconnection.cc [modify] https://crrev.com/644fde40a9c3299efb437680d8f4d1f4889a9375/pc/peerconnectioninterface_unittest.cc [modify] https://crrev.com/644fde40a9c3299efb437680d8f4d1f4889a9375/pc/test/fakesctptransport.h
,
Apr 3 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0d0bdf3190ce4d214a8ca6f5833f9e6f2284d386 commit 0d0bdf3190ce4d214a8ca6f5833f9e6f2284d386 Author: webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Tue Apr 03 10:30:45 2018 Roll src/third_party/webrtc/ 5b4f075f9..644fde40a (1 commit) https://webrtc.googlesource.com/src.git/+log/5b4f075f9c59..644fde40a9c3 $ git log 5b4f075f9..644fde40a --date=short --no-merges --format='%ad %ae %s' Created with: roll-dep src/third_party/webrtc BUG=chromium:827917, chromium:828220 The AutoRoll server is located here: https://webrtc-chromium-roll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_archive_rel_ng;master.tryserver.chromium.mac:mac_chromium_archive_rel_ng;master.tryserver.chromium.win:win-msvc-dbg TBR=webrtc-chromium-sheriffs-robots@google.com Change-Id: I51cd91f0fca62013f2f17b6e113f783c90b45f0a Reviewed-on: https://chromium-review.googlesource.com/991606 Reviewed-by: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: webrtc-chromium-autoroll <webrtc-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#547663} [modify] https://crrev.com/0d0bdf3190ce4d214a8ca6f5833f9e6f2284d386/DEPS
,
Apr 4 2018
ClusterFuzz has detected this issue as fixed in range 547662:547663. Detailed report: https://clusterfuzz.com/testcase?key=6095438734950400 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000048 Crash State: cricket::SctpTransport::ConnectTransportChannelSignals cricket::SctpTransport::SetTransportChannel webrtc::JsepTransportController::HandleRejectedContent Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=547361:547362 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=547662:547663 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6095438734950400 Additional requirements: Requires HTTP See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 4 2018
ClusterFuzz testcase 6095438734950400 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Apr 3 2018Labels: Test-Predator-Auto-CC