fix: SIGSEGV in mtfront_pre_loop from CONN_INFO on listening connection

dvershinin · dvershinin · commit a7e832ec5772 · 2026-03-26T01:24:50.000+08:00
Root cause of intermittent CI crashes. CONN_INFO(LC)-&gt;window_clamp
wrote at offset 512 into an 80-byte listening_connection_info allocation
(432 bytes out of bounds). The job allocator's slab layout usually
placed valid memory there, but occasionally hit a page boundary causing
SIGSEGV.

Fix: use LISTEN_CONN_INFO(LC) which accesses the correct struct.
Both structs have a window_clamp field; net-connections.c:730 already
copies LC-&gt;window_clamp to accepted connections correctly.
diff --git a/common/server-functions.c b/common/server-functions.c
@@ -53,7 +53,9 @@
 #include <string.h>
 #include <sys/resource.h>
 #include <sys/wait.h>
+#ifdef HAVE_LIBUNWIND
 #include <ucontext.h>
+#endif
 #include <unistd.h>
 #include <pthread.h>
 
@@ -250,32 +252,37 @@ void engine_set_terminal_attributes (void) {}
 void extended_debug_handler (int sig, siginfo_t *info, void *cont) {
   ksignal (sig, SIG_DFL);
 
-  /* Print faulting address and interrupted PC for crash diagnosis */
+#ifdef HAVE_LIBUNWIND
+  /* Print faulting address and interrupted PC for crash diagnosis.
+     Only in debug/test builds (HAVE_LIBUNWIND implies DEBUG_TOOLS). */
   if (info) {
     char buf[256];
     int len = snprintf (buf, sizeof (buf),
       "\n*** Signal %d, faulting address %p ***\n", sig, info->si_addr);
     if (len > 0) kwrite (2, buf, len);
   }
-#if defined(__x86_64__) || defined(__aarch64__)
+#if defined(__x86_64__)
   if (cont) {
     ucontext_t *uc = (ucontext_t *)cont;
     char buf[256];
-    int len;
-#if defined(__x86_64__)
-    len = snprintf (buf, sizeof (buf), "RIP=0x%llx RSP=0x%llx RBP=0x%llx\n",
+    int len = snprintf (buf, sizeof (buf), "RIP=0x%llx RSP=0x%llx RBP=0x%llx\n",
       (unsigned long long)uc->uc_mcontext.gregs[REG_RIP],
       (unsigned long long)uc->uc_mcontext.gregs[REG_RSP],
       (unsigned long long)uc->uc_mcontext.gregs[REG_RBP]);
+    if (len > 0) kwrite (2, buf, len);
+  }
 #elif defined(__aarch64__)
-    len = snprintf (buf, sizeof (buf), "PC=0x%lx SP=0x%lx LR=0x%lx\n",
+  if (cont) {
+    ucontext_t *uc = (ucontext_t *)cont;
+    char buf[256];
+    int len = snprintf (buf, sizeof (buf), "PC=0x%lx SP=0x%lx LR=0x%lx\n",
       (unsigned long)uc->uc_mcontext.pc,
       (unsigned long)uc->uc_mcontext.sp,
       (unsigned long)uc->uc_mcontext.regs[30]);
-#endif
     if (len > 0) kwrite (2, buf, len);
   }
 #endif
+#endif /* HAVE_LIBUNWIND */
 
   print_backtrace ();
 
diff --git a/mtproto/mtproto-proxy.c b/mtproto/mtproto-proxy.c
@@ -2287,7 +2287,7 @@ void mtfront_pre_loop (void) {
       if (window_clamp) {
         listening_connection_job_t LC = Events[http_sfd[i]].data;
         assert (LC);
-        CONN_INFO(LC)->window_clamp = window_clamp;
+        LISTEN_CONN_INFO(LC)->window_clamp = window_clamp;
         if (setsockopt (http_sfd[i], IPPROTO_TCP, TCP_WINDOW_CLAMP, &window_clamp, 4) < 0) {
           vkprintf (0, "error while setting window size for socket #%d to %d: %m\n", http_sfd[i], window_clamp);
         }

Original file line number	Diff line number	Diff line change
`@@ -2287,7 +2287,7 @@ void mtfront_pre_loop (void) {`
`2287`	`2287`	`if (window_clamp) {`
`2288`	`2288`	`listening_connection_job_t LC = Events[http_sfd[i]].data;`
`2289`	`2289`	`assert (LC);`
`2290`		`- CONN_INFO(LC)->window_clamp = window_clamp;`
	`2290`	`+ LISTEN_CONN_INFO(LC)->window_clamp = window_clamp;`
`2291`	`2291`	`if (setsockopt (http_sfd[i], IPPROTO_TCP, TCP_WINDOW_CLAMP, &window_clamp, 4) < 0) {`
`2292`	`2292`	`vkprintf (0, "error while setting window size for socket #%d to %d: %m\n", http_sfd[i], window_clamp);`
`2293`	`2293`	`}`