描述(Description)

使用curl 向 srs发送http chunked类型请求导致 srs coredump

1. SRS版本(Version): 4.0.85
2. SRS coredump:

Missing separate debuginfos, use: debuginfo-install glibc-2.17-324.el7_9.x86_64 libgcc-4.8.5-44.el7.x86_64 libstdc++-4.8.5-44.el7.x86_64
(gdb) bt

# 0  0x00000000004d42bb in SrsHttpResponseReader::read_chunked (this=0x165ace0, data=0x1862d90, nb_data=4096, nb_read=0x0) at src/protocol/srs_service_http_conn.cpp:1077

# 1  0x00000000004d3e50 in SrsHttpResponseReader::read (this=0x165ace0, data=0x1862d90, nb_data=4096, nb_read=0x0) at src/protocol/srs_service_http_conn.cpp:989

# 2  0x000000000058b720 in SrsHttpApi::on_message_done (this=0x1615880, r=0x16cc380, w=0x1863dc0) at src/app/srs_app_http_api.cpp:1765

# 3  0x000000000058d8f5 in SrsHttpConn::process_requests (this=0x16966c0, preq=0x1863ee0) at src/app/srs_app_http_conn.cpp:228

# 4  0x000000000058d45a in SrsHttpConn::do_cycle (this=0x16966c0) at src/app/srs_app_http_conn.cpp:177

# 5  0x000000000058ce62 in SrsHttpConn::cycle (this=0x16966c0) at src/app/srs_app_http_conn.cpp:122

# 6  0x0000000000529223 in SrsFastCoroutine::cycle (this=0x165a9f0) at src/app/srs_app_st.cpp:270

# 7  0x00000000005292a6 in SrsFastCoroutine::pfn (arg=0x165a9f0) at src/app/srs_app_st.cpp:285

# 8  0x000000000065438a in _st_thread_main () at sched.c:363

# 9  0x0000000000654c07 in st_thread_create (start=0x6591a1 <_st_epoll_pollset_add+746>, arg=0x165a9f0, joinable=1, stk_size=65536) at sched.c:694

Backtrace stopped: previous frame inner to this frame (corrupt stack?)

1. SRS的配置如下(Config):

xxxxxxxxxxxx

重现(Replay)

curl -XPOST -H 'Transfer-Encoding: chunked' http://10.30.4.229:1985/cli -d "1\r\nd\r\n2\r\ndd\r\n0\r\n\r\n" -v
注：这个chunked请求不正确，但仍可以触发coredump

期望行为(Expect)

使用任何chunk请求均不coredump

问题可能的原因：
因为chunked最后一个chunked必然以0长度结尾，因此，nb_chunk 必然最终为0，而nb_read是int *型的传出参数，且为null，未判断nb_read是否为空导致coredump