logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda
Build faster with M5Stack »
Build faster with M5Stack » Stick • Unit • Cardputer
ADVERTISEMENT
Dostępna jest polska wersja

Czy wolisz polską wersję strony elektroda?

Nie, dziękuję Przekieruj mnie tam

OBK Heap Drops Under Repeated Large HTTP Requests - leak/realloc question

divadiow 459 9
ADVERTISEMENT
Report a violation of the law
Reply | New topic
  • Helpful post
    #1 21837181
    divadiow
    Level 38  
    I have a question. I've been trying to make OBK fallover by spamming it with repeated oversized http requests.

    Using this:

    Code: Powershell
    Log in, to see the code


    Code: Powershell
    Log in, to see the code


    and with 1.18.253 I get this kind of dropping heap until device reboots, not always, but mostly, especially if clicking about in the gui. This device has MQTT, HA, BL0937 configured.
    Code: Text
    Log in, to see the code


    with these changes https://github.com/openshwprojects/OpenBK7231...mpare/main...divadiow:OpenBK7231T_App:tcpleak

    I can run the stress-test script over and over with seemingly little effect. (starting HA discovery drops heap to 30k from which it doesn't seem to recover - maybe that's a different issue or to be expected?)

    Code: Text
    Log in, to see the code


    is this a realloc bug?
  • ADVERTISEMENT
  • #2 21837597
    p.kaczmarek2
    Moderator Smart Home
    Ahh yes, fair point, you have figured it out well.
    Screenshot of realloc documentation with “Parameters” and “Return value” sections
    In the low heap scenario, realloc fails to reallocate the memory, so it returns NULL, but original pointer is not invalidated. So, by overwriting request.received with returned NULL, we orphan the original (still correct) buffer.
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • ADVERTISEMENT
  • #4 21837675
    p.kaczmarek2
    Moderator Smart Home
    Yes, great finding, keep it on! It's possible that wrong realloc usage pattern repeats somewhere else in the codebase.

    Just extra question - why return has changed to goto exit?
    Screenshot of a C code diff: realloc result stored in newbuf and NULL handled with goto exit
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #5 21837689
    divadiow
    Level 38  
    p.kaczmarek2 wrote:
    why return has changed to goto exit?


    so the path still hits the function's unified cleanup block. The return would skip those and leak the already-allocated buffers and socket resources.

    is the answer i'm being given ;)

    p.kaczmarek2 wrote:
    it's possible that wrong realloc usage pattern repeats somewhere else in the codebase.


    yes, potentials to be investigated:

    src/driver/drv_adcSmoother.c — realloc clobber + NULL memset; possible divide-by-zero if window unset/0
    src/driver/drv_girierMCU.c — queue buffer realloc clobber; no failure handling; bookkeeping corruption
    src/driver/drv_httpButtons.c — list realloc clobber + NULL deref; also prints bt->label before NULL check
    src/driver/drv_pixelAnim.c — work-buffer realloc clobber; “OOM handling” still leaks old buffer
    src/driver/drv_tuyaMCU.c — multiple realloc clobbers (queue data, payload buffers, rawData); immediate memcpy/usage after

    src/httpserver/hass.c — unbounded strcat into small static buffer (overflow risk)
    src/httpserver/hass.c + src/httpserver/hass.h — unique_id sizing mismatch when appending title (overflow risk)

    src/cmnds/cmd_script.c — realloc clobber; state updated before success (OOM inconsistency)
    src/cmnds/cmd_tokenizer.c — fixed 20-byte ${…} buffer overflow risk for long tokens
  • Helpful post
    #6 21838166
    p.kaczmarek2
    Moderator Smart Home
    Perfect, merged, proceed to futher links and show me solutions one by one. I want to review them, because automated methods still gives false positives.
    Helpful post? Buy me a coffee.
  • #7 21838201
    divadiow
    Level 38  
    thanks for merging!

    p.kaczmarek2 wrote:
    I want to review them, because automated methods still gives false positives.


    for sure. I double, triple, quadruple etc check with LLM (new chats, different contexts, different questions etc) and, if necessary, confirm with other tools too. eg:

    Screenshot of a Cppcheck report listing memleakOnRealloc errors across multiple C source files.

    Added after 5 [minutes]:

    it's fascinating seeing what these tools have to say about the code. opens up another world of things to look into, wondering if these *are* real issues requiring attention, what does and doesn't matter...
    Screenshot of a Cppcheck report listing static analysis errors in C and C++ files

    Added after 10 [minutes]:

    this is that report if curious
    Attachments:
    • cppcheck-report.zip (3.25 MB) You must be logged in to download this attachment.
  • Helpful post
    #8 21838216
    max4elektroda
    Level 24  
    Just a quick feedback about the initial http code:
    In my PR I also limited the maximum buffer size. What do you think about this?

    In most cases that should not be necessary:
    If buffer is to small, we reallocate a 1024 bytes bigger one.
    Since there's no limit, we will fail at some point if input data is huge.
    As long there is no other process claiming memory, we will roughly take half of the memory: every realloc needs "actual buffer"*2 +1024 to succeed, so a successful realloc must leave as free round half of the memory -1k on that point.

    The smaller free memory is , the smaller the memory left when realloc fails.

    Is this sufficient or should we limit the buffer from the beginning?
    Is my description above even correct and complete?
  • #9 21838733
    divadiow
    Level 38  
    max4elektroda wrote:
    What do you think about this?


    I guess this was directed at p.kaczmarek2 because I don't have the knowledge or experience from which to answer :)

    whatever's better/a good thing is my obvious preference. that goes without saying though
  • Helpful post
    #10 21838754
    max4elektroda
    Level 24  
    Yes it was a general question to whoever thinks fit to answer or decide ;-)
Reply | New topic
Report a violation of the law

Topic summary

✨ The discussion centers on investigating heap memory behavior in OBK devices under stress from repeated large HTTP requests. The user attempts to induce a failure by sending multiple oversized HTTP requests with large filler headers, monitoring heap size changes via the device's status API. The script parameters include IP, port, number of iterations, payload size in kilobytes, chunk size per write, and pause duration between requests. The main focus is on understanding whether the heap memory leaks or reallocates inefficiently during this process, potentially causing a fallover. The approach involves using PowerShell to send requests and parse JSON responses to track heap usage. The inquiry seeks insights into memory management, leak detection, and realloc behavior in embedded HTTP servers under high load conditions.
Generated by the language model.
Today's popular
ADVERTISEMENT