Assertion failure panic when being fed fuzzed input · Issue #581 · hyperium/h2
I used rocket (0.5.0-rc.1) as a handy test case for this, but I found the bug when fuzzing hyper, and it seems to be in this repo.
To reproduce, feed the uploaded file into a rocket instance (base64 -d ... | nc localhost 8000)
DVBSSSAqIEhUVFAvMi4wDQoNClNNDQoNCgAAKgEAAAAAAKa8jry8vLy8vLy8vLy8vLy8vLy8vLy8
vLysvLy8pqampqampqaupqampqampqamJqampqamplpZWVl5WVlXpqampqaAgICAgICAgICAgICA
gICA
#[macro_use] extern crate rocket; #[get("/")] fn index() -> &'static str { "Hello, world!" } #[launch] fn rocket() -> _ { rocket::build().mount("/", routes![index]) }
I just used the hello world, it likely really doesn't matter.
thread 'rocket-worker-thread' panicked at 'assertion failed: !id.is_zero()', /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/peer.rs:54:9
stack backtrace:
0: rust_begin_unwind
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:498:5
1: core::panicking::panic_fmt
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panicking.rs:107:14
2: core::panicking::panic
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panicking.rs:48:5
3: h2::proto::peer::Dyn::is_local_init
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/peer.rs:54:9
4: h2::proto::streams::streams::Inner::send_reset
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/streams/streams.rs:880:20
5: h2::proto::streams::streams::DynStreams<B>::send_reset
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/streams/streams.rs:349:9
6: h2::proto::connection::DynConnection<B>::handle_poll2_result
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/connection.rs:427:17
7: h2::proto::connection::Connection<T,P,B>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/proto/connection.rs:267:21
8: h2::server::Connection<T,B>::poll_closed
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/server.rs:487:9
9: h2::server::Connection<T,B>::poll_accept
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/h2-0.3.7/src/server.rs:412:33
10: hyper::proto::h2::server::Serving<T,B>::poll_server
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/proto/h2/server.rs:264:30
11: <hyper::proto::h2::server::Server<T,S,B,E> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/proto/h2/server.rs:198:28
12: <hyper::server::conn::ProtoServer<T,B,S,E> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1100:43
13: <hyper::server::conn::upgrades::UpgradeableConnection<I,S,E> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1302:30
14: <hyper::common::drain::Watching<F,FN> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/common/drain.rs:95:36
15: <hyper::server::conn::spawn_all::NewSvcTask<I,N,S,E,W> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/hyper-0.14.15/src/server/conn.rs:1239:36
16: tokio::runtime::task::core::CoreStage<T>::poll::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:161:17
17: tokio::loom::std::unsafe_cell::UnsafeCell<T>::with_mut
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/loom/std/unsafe_cell.rs:14:9
18: tokio::runtime::task::core::CoreStage<T>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:151:13
19: tokio::runtime::task::harness::poll_future::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:461:19
20: <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panic/unwind_safe.rs:271:9
21: std::panicking::try::do_call
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:406:40
22: __rust_try
23: std::panicking::try
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:370:19
24: std::panic::catch_unwind
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panic.rs:133:14
25: tokio::runtime::task::harness::poll_future
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:449:18
26: tokio::runtime::task::harness::Harness<T,S>::poll_inner
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:98:27
27: tokio::runtime::task::harness::Harness<T,S>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:53:15
28: tokio::runtime::task::raw::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:113:5
29: tokio::runtime::task::raw::RawTask::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:70:18
30: tokio::runtime::task::LocalNotified<S>::run
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/mod.rs:343:9
31: tokio::runtime::thread_pool::worker::Context::run_task::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:420:13
32: tokio::coop::with_budget::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:106:9
33: std::thread::local::LocalKey<T>::try_with
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/thread/local.rs:413:16
34: std::thread::local::LocalKey<T>::with
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/thread/local.rs:389:9
35: tokio::coop::with_budget
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:99:5
36: tokio::coop::budget
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/coop.rs:76:5
37: tokio::runtime::thread_pool::worker::Context::run_task
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:419:9
38: tokio::runtime::thread_pool::worker::Context::run
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:386:24
39: tokio::runtime::thread_pool::worker::run::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:371:17
40: tokio::macros::scoped_tls::ScopedKey<T>::set
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/macros/scoped_tls.rs:61:9
41: tokio::runtime::thread_pool::worker::run
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:368:5
42: tokio::runtime::thread_pool::worker::Launch::launch::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/thread_pool/worker.rs:347:45
43: <tokio::runtime::blocking::task::BlockingTask<T> as core::future::future::Future>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/task.rs:42:21
44: tokio::runtime::task::core::CoreStage<T>::poll::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:161:17
45: tokio::loom::std::unsafe_cell::UnsafeCell<T>::with_mut
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/loom/std/unsafe_cell.rs:14:9
46: tokio::runtime::task::core::CoreStage<T>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/core.rs:151:13
47: tokio::runtime::task::harness::poll_future::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:461:19
48: <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/core/src/panic/unwind_safe.rs:271:9
49: std::panicking::try::do_call
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:406:40
50: __rust_try
51: std::panicking::try
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panicking.rs:370:19
52: std::panic::catch_unwind
at /rustc/532d2b14c05f9bc20b2d27cbb5f4550d28343a36/library/std/src/panic.rs:133:14
53: tokio::runtime::task::harness::poll_future
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:449:18
54: tokio::runtime::task::harness::Harness<T,S>::poll_inner
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:98:27
55: tokio::runtime::task::harness::Harness<T,S>::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/harness.rs:53:15
56: tokio::runtime::task::raw::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:113:5
57: tokio::runtime::task::raw::RawTask::poll
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/raw.rs:70:18
58: tokio::runtime::task::UnownedTask<S>::run
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/task/mod.rs:379:9
59: tokio::runtime::blocking::pool::Inner::run
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/pool.rs:264:17
60: tokio::runtime::blocking::pool::Spawner::spawn_thread::{{closure}}
at /home/jess/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.14.0/src/runtime/blocking/pool.rs:244:17
is a full stack trace