View Issue Details

IDProjectCategoryView StatusLast Update
0035999FPCFCLpublic2019-08-24 14:19
ReporterSimon AmeisAssigned ToMichael Van Canneyt 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformDesktop PCOSWindows 7, 64 bitOS Version6.1 SP 1
Product Version3.3.1Product Buildtrunk 
Target VersionFixed in Version3.3.1 
Summary0035999: fcl-web: SIGSEGV on JSON RPC request without parameters
DescriptionWhen sending an malformed JSON RPC request to a TJSONRPCModule, the application crashes with SIGSEGV.
Steps To ReproduceCreate a new HTTP application, add a TJSONRPCModule and an TJSONRPCHandler.
Then send the following request to the application
{ "method": "JSONRPCHandler1", "id": 2 }


For a demo application please see attachment.
Additional InformationException message. The Address 1 shows only up, when compiling fcl-web with debugging information. Otherwise another address is shown.
[Window Title]
Fehler

[Content]
Projekt httpproject1 hat Exception-Klasse »External: SIGSEGV« ausgelöst.

 Bei Adresse 1

[Ok]


Call stack:
#0 ?? at :0
0000001 TCUSTOMJSONRPCMODULE__HANDLEREQUEST(0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\jsonrpc\webjsonrpc.pp:257
0000002 TWEBHANDLER__DOCALLMODULE(0x16dbd50, 0x0, 0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\custweb.pp:332
0000003 TWEBHANDLER__HANDLEMODULEREQUEST(0x16963c8, 0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\custweb.pp:353
0000004 TMODULEFACTORY__DOHANDLEREQUEST(0x16963c8, 0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\fphttp.pp:368
0000005 TMODULEITEM__HANDLEREQUEST(0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\fphttp.pp:276
0000006 THTTPROUTEINTERFACE__DOHANDLEREQUEST(0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\httproute.pp:595
0000007 THTTPROUTE__HANDLEREQUEST(0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\httproute.pp:646
0000008 THTTPROUTER__DOROUTEREQUEST(0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\httproute.pp:357
0000009 THTTPROUTER__ROUTEREQUEST(0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\httproute.pp:585
0000010 TWEBHANDLER__HANDLEREQUEST(0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\custweb.pp:363
0000011 TWEBHANDLER__DOHANDLEREQUEST(0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\custweb.pp:512
0000012 TFPHTTPSERVERHANDLER__HTTPHANDLEREQUEST(0x16dbcb0, 0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\custhttpapp.pp:334
0000013 TFPCUSTOMHTTPSERVER__HANDLEREQUEST(0x1724178, 0x17342e8, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\fphttpserver.pp:871
0000014 TFPHTTPCONNECTION__HANDLEREQUEST(<error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\fphttpserver.pp:613
0000015 TFPCUSTOMHTTPSERVER__DOCONNECT(0x16cbcf0, 0x1696458, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\fphttpserver.pp:824
0000016 SSOCKETS$_$TSOCKETSERVER_$__$$_DOCONNECT$TSOCKETSTREAM at :0
0000017 SSOCKETS$_$TSOCKETSERVER_$__$$_STARTACCEPTING at :0
0000018 TFPCUSTOMHTTPSERVER__STARTSERVERSOCKET(<error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\fphttpserver.pp:859
0000019 TFPCUSTOMHTTPSERVER__SETACTIVE(true, <error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\fphttpserver.pp:712
0000020 TFPHTTPSERVERHANDLER__RUN(<error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\custhttpapp.pp:470
0000021 TCUSTOMWEBAPPLICATION__DORUN(<error reading variable>) at C:\FPC\fpcsrc\packages\fcl-web\src\base\custweb.pp:708
0000022 CUSTAPP$_$TCUSTOMAPPLICATION_$__$$_RUN at :0
0000023 main at httpproject1.lpr:12

The line fpcsrc\packages\fcl-web\src\jsonrpc\webjsonrpc.pp:257 is
AResponse.Content:=Res.AsJSON;
while Res is a TJSONERROROBJECT instance. Thus method function TJSONObject.GetAsJSON gets called.

However I was not able to trace down the root cause of the SIGSEGV.
Tagsfcl-json, fcl-web, JSON, SIGSEGV
Fixed in Revision42783.
FPCOldBugId
FPCTarget3.2.0
Attached Files

Activities

Simon Ameis

2019-08-23 20:23

reporter  

jsonrpc_sigsegv.zip (1,982 bytes)

Simon Ameis

2019-08-23 20:44

reporter   ~0117812

Last edited: 2019-08-23 20:52

View 2 revisions

Root cause: the request is checked in TCustomJSONRPCDispatcher.CheckRequest. This method creates an result error object, which should be sent to the client.
For transporting the id field of the request to the client, the JSON node of the request is passed to CreateJSON2Error in fpjsonrpc line 936. This method references the id object inside the result error object.

The id object is destroyed together with the request object in webjsonrpc line 311 in TJSONRPCDispatchModule.DispatchRequest. Thus there will be left a reference to a non existing object.

This leads later to an invalid memory access when converting the error object to the HTTP response.

Mitigation in method unit fpjson clone the id data:
function CreateJSON2ErrorResponse(Const AMessage : String; Const ACode : Integer; ID : TJSONData = Nil; idname : TJSONStringType = 'id' ) : TJSONObject;

begin
  If (ID=Nil) then
    ID:=TJSONNull.Create
  else // clone ID data to not get references to possibly uncontrolled destructed objects
    ID := ID.Clone;
  Result:=TJSONErrorObject.Create(['jsonrpc','2.0','error',CreateJSONErrorObject(AMessage,ACode),idname,ID]);
end;  

I've checked this with heaptrc, which shows this doesnot create memory leaks in this scenario.

Michael Van Canneyt

2019-08-24 11:37

administrator   ~0117819

Fixed. the error message creating routine 'owned' the ID parameter which was in fact already owned by the input, so it was freed twice. Fixed by always cloning the ID parameter.

Simon Ameis

2019-08-24 14:19

reporter   ~0117826

Thanks for patching.

Issue History

Date Modified Username Field Change
2019-08-23 20:23 Simon Ameis New Issue
2019-08-23 20:23 Simon Ameis File Added: jsonrpc_sigsegv.zip
2019-08-23 20:23 Simon Ameis Tag Attached: fcl-web
2019-08-23 20:23 Simon Ameis Tag Attached: fcl-json
2019-08-23 20:23 Simon Ameis Tag Attached: JSON
2019-08-23 20:23 Simon Ameis Tag Attached: SIGSEGV
2019-08-23 20:44 Simon Ameis Note Added: 0117812
2019-08-23 20:52 Simon Ameis Note Edited: 0117812 View Revisions
2019-08-24 11:37 Michael Van Canneyt Assigned To => Michael Van Canneyt
2019-08-24 11:37 Michael Van Canneyt Status new => resolved
2019-08-24 11:37 Michael Van Canneyt Resolution open => fixed
2019-08-24 11:37 Michael Van Canneyt Fixed in Version => 3.3.1
2019-08-24 11:37 Michael Van Canneyt Fixed in Revision => 42783.
2019-08-24 11:37 Michael Van Canneyt FPCTarget => 3.2.0
2019-08-24 11:37 Michael Van Canneyt Note Added: 0117819
2019-08-24 14:19 Simon Ameis Status resolved => closed
2019-08-24 14:19 Simon Ameis Note Added: 0117826