[lwip-devel] [bug #26405] Prematurely released semaphore causes lwip_select() to crash

[Konstantin]

URL:
  <http://savannah.nongnu.org/bugs/?26405>

                 Summary: Prematurely released semaphore causes lwip_select()
to crash
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: konstua
            Submitted on: Чтв 30 Апр 2009 07:19:38
                Category: sockets
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: 1.3.0

    _______________________________________________________

Details:

While trying to get lwIP to work on a FreeRTOS port for Blackfin BF53x, I
have observed elusive memory corruption. After a lot of debugging I have
traced the cause to the following code:

(sockets.c :: event_callback())

if (scb) {
      scb->sem_signalled = 1;
      sys_sem_signal(selectsem);
      sys_sem_signal(scb->sem);
    } else {
      sys_sem_signal(selectsem);
      break;
    }


It seems that, at least on my system, a situation occured where lwip_select()
was waiting for selectsem in another thread, and as soon as it was released,
lwip_select() could be exited, leaving scb (pointing at a local variable
inside lwip_select()) an invalid reference.

Suggestion: swapping the two subsequent calls to sys_sem_signal() seems to
resolve the problem:


if (scb) {
      scb->sem_signalled = 1;
      sys_sem_signal(scb->sem); /* -- before selectsem */
      sys_sem_signal(selectsem); /* -- may invalidate scb */
    } else {
      sys_sem_signal(selectsem);
      break;
    }






    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?26405>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/