mqp · December 6, 2017 22:43
diff --git a/gistfile1.txt b/gistfile1.txt
    #0 0x5575b8946289 in janus_dtls_notify_data /home/mquander/src/janus-gateway/dtls.c:924
    #1 0x5575b8a3b025 in janus_sctp_handle_data_message /home/mquander/src/janus-gateway/sctp.c:939
    #2 0x5575b8a3b34c in janus_sctp_handle_message /home/mquander/src/janus-gateway/sctp.c:989
    #3 0x5575b8a2ef1c in janus_sctp_incoming_data /home/mquander/src/janus-gateway/sctp.c:343
    #4 0x7f010e0f4b4a in sctp_invoke_recv_callback netinet/sctputil.c:4855
    #5 0x7f010e0f5236 in sctp_add_to_readq netinet/sctputil.c:4963
    #6 0x7f010e079940 in sctp_process_a_data_chunk netinet/sctp_indata.c:2103
    #7 0x7f010e07ba31 in sctp_process_data netinet/sctp_indata.c:2760
    #8 0x7f010e095b9e in sctp_common_input_processing netinet/sctp_input.c:6162
    #9 0x7f010e060d2b in usrsctp_conninput /home/mquander/src/janus-plugin-sfu/build/sctplab/usrsctp/usrsctplib/user_socket.c:3375
    #10 0x5575b8a4a545 in janus_sctp_thread /home/mquander/src/janus-gateway/sctp.c:1317
    #11 0x7f010f3a9644  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72644)
    #12 0x7f010dbbc7fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
    #13 0x7f010d8e9b0e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x114b0e)

 0x614000307a40 is located 0 bytes inside of 448-byte region [0x614000307a40,0x614000307c00)
 freed by thread T3069 (iceloop 2698508) here:
    #0 0x7f010fbc47b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x5575b896dd68 in janus_ice_component_free /home/mquander/src/janus-gateway/ice.c:1342
    #2 0x5575b896d250 in janus_ice_component_destroy /home/mquander/src/janus-gateway/ice.c:1268
    #3 0x5575b896c073 in janus_ice_stream_destroy /home/mquander/src/janus-gateway/ice.c:1208
    #4 0x5575b896b168 in janus_ice_webrtc_free /home/mquander/src/janus-gateway/ice.c:1157
    #5 0x5575b898a5c0 in janus_ice_thread /home/mquander/src/janus-gateway/ice.c:2359
    #6 0x7f010f3a9644  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72644)

 previously allocated by thread T3037 (pool) here:
    #0 0x7f010fbc4d38 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
    #1 0x7f010f3875d0 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505d0)
    #2 0x5575b89cf4e4 in janus_process_incoming_request /home/mquander/src/janus-gateway/janus.c:1290
    #3 0x5575b89e2f58 in janus_transport_task /home/mquander/src/janus-gateway/janus.c:2581
    #4 0x7f010f3aa00f  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7300f)

 Thread T3093 (sctp 2698508135) created by T3069 (iceloop 2698508) here:
    #0 0x7f010fb1dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f010f3c739f  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x9039f)

 Thread T3069 (iceloop 2698508) created by T3037 (pool) here:
    #0 0x7f010fb1dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f010f3c739f  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x9039f)

 Thread T3037 (pool) created by T10 (ws thread) here:
    #0 0x7f010fb1dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f010f3c739f  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x9039f)

 Thread T10 (ws thread) created by T0 here:
    #0 0x7f010fb1dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f010f3c739f  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x9039f)

 SUMMARY: AddressSanitizer: heap-use-after-free /home/mquander/src/janus-gateway/dtls.c:924 in janus_dtls_notify_data
 Shadow bytes around the buggy address:
  0x0c2880058ef0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c2880058f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2880058f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2880058f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2880058f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 =>0x0c2880058f40: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c2880058f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880058f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880058f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880058f80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2880058f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==28578==ABORTING
	#0 0x5575b8946289 in janus_dtls_notify_data /home/mquander/src/janus-gateway/dtls.c:924
	#1 0x5575b8a3b025 in janus_sctp_handle_data_message /home/mquander/src/janus-gateway/sctp.c:939
	#2 0x5575b8a3b34c in janus_sctp_handle_message /home/mquander/src/janus-gateway/sctp.c:989
	#3 0x5575b8a2ef1c in janus_sctp_incoming_data /home/mquander/src/janus-gateway/sctp.c:343
	#4 0x7f010e0f4b4a in sctp_invoke_recv_callback netinet/sctputil.c:4855
	#5 0x7f010e0f5236 in sctp_add_to_readq netinet/sctputil.c:4963
	#6 0x7f010e079940 in sctp_process_a_data_chunk netinet/sctp_indata.c:2103
	#7 0x7f010e07ba31 in sctp_process_data netinet/sctp_indata.c:2760
	#8 0x7f010e095b9e in sctp_common_input_processing netinet/sctp_input.c:6162
	#9 0x7f010e060d2b in usrsctp_conninput /home/mquander/src/janus-plugin-sfu/build/sctplab/usrsctp/usrsctplib/user_socket.c:3375
	#10 0x5575b8a4a545 in janus_sctp_thread /home/mquander/src/janus-gateway/sctp.c:1317
	#11 0x7f010f3a9644 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72644)
	#12 0x7f010dbbc7fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
	#13 0x7f010d8e9b0e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x114b0e)

	0x614000307a40 is located 0 bytes inside of 448-byte region [0x614000307a40,0x614000307c00)
	freed by thread T3069 (iceloop 2698508) here:
	#0 0x7f010fbc47b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
	#1 0x5575b896dd68 in janus_ice_component_free /home/mquander/src/janus-gateway/ice.c:1342
	#2 0x5575b896d250 in janus_ice_component_destroy /home/mquander/src/janus-gateway/ice.c:1268
	#3 0x5575b896c073 in janus_ice_stream_destroy /home/mquander/src/janus-gateway/ice.c:1208
	#4 0x5575b896b168 in janus_ice_webrtc_free /home/mquander/src/janus-gateway/ice.c:1157
	#5 0x5575b898a5c0 in janus_ice_thread /home/mquander/src/janus-gateway/ice.c:2359
	#6 0x7f010f3a9644 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72644)

	previously allocated by thread T3037 (pool) here:
	#0 0x7f010fbc4d38 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
	#1 0x7f010f3875d0 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x505d0)
	#2 0x5575b89cf4e4 in janus_process_incoming_request /home/mquander/src/janus-gateway/janus.c:1290
	#3 0x5575b89e2f58 in janus_transport_task /home/mquander/src/janus-gateway/janus.c:2581
	#4 0x7f010f3aa00f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7300f)

	Thread T3093 (sctp 2698508135) created by T3069 (iceloop 2698508) here:
	#0 0x7f010fb1dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
	#1 0x7f010f3c739f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x9039f)

	Thread T3069 (iceloop 2698508) created by T3037 (pool) here:
	#0 0x7f010fb1dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
	#1 0x7f010f3c739f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x9039f)

	Thread T3037 (pool) created by T10 (ws thread) here:
	#0 0x7f010fb1dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
	#1 0x7f010f3c739f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x9039f)

	Thread T10 (ws thread) created by T0 here:
	#0 0x7f010fb1dd2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
	#1 0x7f010f3c739f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x9039f)

	SUMMARY: AddressSanitizer: heap-use-after-free /home/mquander/src/janus-gateway/dtls.c:924 in janus_dtls_notify_data
	Shadow bytes around the buggy address:
	0x0c2880058ef0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
	0x0c2880058f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c2880058f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c2880058f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	0x0c2880058f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
	=>0x0c2880058f40: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
	0x0c2880058f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
	0x0c2880058f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
	0x0c2880058f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
	0x0c2880058f80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
	0x0c2880058f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
	Shadow byte legend (one shadow byte represents 8 application bytes):
	Addressable: 00
	Partially addressable: 01 02 03 04 05 06 07
	Heap left redzone: fa
	Freed heap region: fd
	Stack left redzone: f1
	Stack mid redzone: f2
	Stack right redzone: f3
	Stack after return: f5
	Stack use after scope: f8
	Global redzone: f9
	Global init order: f6
	Poisoned by user: f7
	Container overflow: fc
	Array cookie: ac
	Intra object redzone: bb
	ASan internal: fe
	Left alloca redzone: ca
	Right alloca redzone: cb
	==28578==ABORTING