[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #20791] conn->recvmbox might be deleted twice in netco
|
From: |
Howell ZHU |
|
Subject: |
[lwip-devel] [bug #20791] conn->recvmbox might be deleted twice in netconn_delete() and netconn_recv |
|
Date: |
Wed, 15 Aug 2007 16:32:53 +0000 |
|
User-agent: |
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
URL:
<http://savannah.nongnu.org/bugs/?20791>
Summary: conn->recvmbox might be deleted twice in
netconn_delete() and netconn_recv
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: howellzhu
Submitted on: Wednesday 08/15/07 at 16:32
Category: TCP
Severity: 3 - Normal
Item Group: Faulty Behaviour
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release:
_______________________________________________________
Details:
Assuming A task invoked netconn_delete(), while B task was pending on
netconn_recv().
Firstly A task will attempt to delete the conn->recvmbox:
<quote>
/* Drain the recvmbox. */
if (conn->recvmbox != SYS_MBOX_NULL) {
while (sys_arch_mbox_fetch(conn->recvmbox, &mem, 1) != SYS_ARCH_TIMEOUT)
{
if (conn->type == NETCONN_TCP) {
if(mem != NULL)
pbuf_free((struct pbuf *)mem);
} else {
netbuf_delete((struct netbuf *)mem);
}
}
sys_mbox_free(conn->recvmbox); <<<-------HERE!!!
conn->recvmbox = SYS_MBOX_NULL;
}
</quote>
Then B task might be resumed and fetch NULL from the recvmbox. And it will
delete the recvmbox too (in function netconn_recv())!!!
<quote>
/* If we are closed, we indicate that we no longer wish to receive
data by setting conn->recvmbox to SYS_MBOX_NULL. */
if (p == NULL) {
memp_free(MEMP_NETBUF, buf);
sys_mbox_free(conn->recvmbox); <<<--------DELETE AGAIN!!!
conn->recvmbox = SYS_MBOX_NULL;
return NULL;
}
</quote>
Thus the mbox might be delete twice and cause a critical error.
Howe about my suggestion?
DO NOT delete the recvmbox in fucntion netconn_recv(). Because
netconn_delete() will delete and drain it.
Waiting for your opinions!
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?20791>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
- [lwip-devel] [bug #20791] conn->recvmbox might be deleted twice in netconn_delete() and netconn_recv,
Howell ZHU <=
- [lwip-devel] [bug #20791] conn->recvmbox might be deleted twice in netconn_delete() and netconn_recv, Jonathan Larmour, 2007/08/15
- [lwip-devel] [bug #20791] conn->recvmbox might be deleted twice in netconn_delete() and netconn_recv, Frédéric Bernon, 2007/08/15
- [lwip-devel] [bug #20791] conn->recvmbox might be deleted twice in netconn_delete() and netconn_recv, Howell ZHU, 2007/08/15
- RE: [lwip-devel] [bug #20791] conn->recvmbox might be deleted twice innetconn_delete() and netconn_recv, Goldschmidt Simon, 2007/08/16
- [lwip-devel] [bug #20791] conn->recvmbox might be deleted twice in netconn_delete() and netconn_recv, Frédéric Bernon, 2007/08/16
- [lwip-devel] [bug #20791] conn->recvmbox might be deleted twice in netconn_delete() and netconn_recv, Frédéric Bernon, 2007/08/21
- [lwip-devel] [bug #20791] conn->recvmbox might be deleted twice in netconn_delete() and netconn_recv, Simon Goldschmidt, 2007/08/22
- [lwip-devel] [bug #20791] conn->recvmbox might be deleted twice in netconn_delete() and netconn_recv, Frédéric Bernon, 2007/08/22