0003111: Use-after-free in connection_poll

ID	Project	Category	View Status	Date Submitted	Last Update

0003111	GNUnet	cadet service	public	2013-11-16 16:17	2013-12-24 20:54

Reporter	LRN	Assigned To	Bart Polot
Priority	urgent	Severity	crash	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	Git master
Target Version	0.10.0	Fixed in Version	0.10.0

Summary	0003111: Use-after-free in connection_poll
Description	subj
Steps To Reproduce	Run test_mesh_small_speed_nobuf
Additional Information	Reading symbols from d:\progs\gnunet\lib\gnunet\libexec\gnunet-service-mesh.exe...done. Continuing. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16240.0x22ac] 0x0040f597 in GMC_send_prebuilt_message (message=0x28fb60, c=0xdf0adba, fwd=0, cont=0x409b5a <poll_sent>, cont_cls=0x11116f8) at gnunet-service-mesh_connection.c:2475 2475 pmsg->cid = c->id; (gdb) bt #0 0x0040f597 in GMC_send_prebuilt_message (message=0x28fb60, c=0xdf0adba, fwd=0, cont=0x409b5a <poll_sent>, cont_cls=0x11116f8) at gnunet-service-mesh_connection.c:2475 #1 0x00409f98 in connection_poll (cls=0x11116f8, tc=0x28fbf0) at gnunet-service-mesh_connection.c:985 #2 0x62b7f835 in run_ready (rs=0x110da30, ws=0x110ea48) at scheduler.c:593 #3 0x62b800b1 in GNUNET_SCHEDULER_run (task=0x62b8bd78 <service_task>, task_cls=0x28fd98) at scheduler.c:808 #4 0x62b8cc47 in GNUNET_SERVICE_run (argc=3, argv=0x10f8f38, service_name=0x426561 <__FUNCTION__.105172+1342> "mesh", options=GNUNET_SERVICE_OPTION_NONE, task=0x420207 <run>, task_cls=0x0) at service.c:1478 #5 0x004205b1 in main (argc=3, argv=0x10f8f38) at gnunet-service-mesh.c:161 (gdb) up #1 0x00409f98 in connection_poll (cls=0x11116f8, tc=0x28fbf0) at gnunet-service-mesh_connection.c:985 985 fc->poll_msg = GMC_send_prebuilt_message (&msg.header, c, fc == &c->fwd_fc, (gdb) l 980 981 msg.header.type = htons (GNUNET_MESSAGE_TYPE_MESH_POLL); 982 msg.header.size = htons (sizeof (msg)); 983 msg.pid = htonl (fc->last_pid_sent); 984 LOG (GNUNET_ERROR_TYPE_DEBUG, " *** last pid sent: %u!\n", fc->last_pid_sent); 985 fc->poll_msg = GMC_send_prebuilt_message (&msg.header, c, fc == &c->fwd_fc, 986 &poll_sent, fc); 987 } 988 989 (gdb) l connection_poll 959 * @param cls Closure (poll ctx). 960 * @param tc TaskContext. 961 / 962 static void 963 connection_poll (void cls, const struct GNUNET_SCHEDULER_TaskContext tc) 964 { 965 struct MeshFlowControl fc = cls; 966 struct GNUNET_MESH_Poll msg; 967 struct MeshConnection c; 968 (gdb) 969 fc->poll_task = GNUNET_SCHEDULER_NO_TASK; 970 if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN)) 971 { 972 return; 973 } 974 975 c = fc->c; 976 LOG (GNUNET_ERROR_TYPE_DEBUG, " Polling!\n"); 977 LOG (GNUNET_ERROR_TYPE_DEBUG, " * connection [%s]\n", GMC_2s (c)); 978 LOG (GNUNET_ERROR_TYPE_DEBUG, " *** %s\n", (gdb) p fc $1 = {c = 0xdf0adba, queue_n = 233876922, queue_max = 233876922, next_pid = 233876922, last_pid_sent = 233876922, last_pid_recv = 233876922, last_ack_sent = 233876922, last_ack_recv = 233876922, poll_task = 0, poll_time = {rel_value_us = 1004493731513019834}, poll_msg = 0xdf0adba, ack_msg = 0xdf0adba} (gdb) p/x fc $2 = {c = 0xdf0adba, queue_n = 0xdf0adba, queue_max = 0xdf0adba, next_pid = 0xdf0adba, last_pid_sent = 0xdf0adba, last_pid_recv = 0xdf0adba, last_ack_sent = 0xdf0adba, last_ack_recv = 0xdf0adba, poll_task = 0x0, poll_time = {rel_value_us = 0xdf0adba0df0adba}, poll_msg = 0xdf0adba, ack_msg = 0xdf0adba}
Tags	No tags attached.

Bart Polot 2013-11-18 15:35 reporter ~0007648	Fixed in r30769.

LRN 2013-11-18 19:09 reporter ~0007650	With r30781 this problem still exists (this time in test_mesh_small_speed_nobuf_backwards; could be random though).

LRN 2013-11-19 03:36 reporter ~0007657	Also exists in r30792 (happened during test_mesh_small_speed_backwards).

Bart Polot 2013-11-19 16:13 reporter ~0007659	Should finally be fixed in r30803.

LRN 2013-11-22 11:07 reporter ~0007675 Last edited: 2013-11-22 11:09	Still happens in r30844 It mostly affects later tests (test_mesh_small_speed_reliable, in particular).

Bart Polot 2013-11-25 23:32 reporter ~0007684	SHould be finally fixed in r30863.

Date Modified	Username	Field	Change
2013-11-16 16:17	LRN	New Issue
2013-11-16 16:17	LRN	Status	new => assigned
2013-11-16 16:17	LRN	Assigned To	=> Bart Polot
2013-11-16 16:26	Christian Grothoff	Priority	normal => urgent
2013-11-16 16:26	Christian Grothoff	Product Version	=> Git master
2013-11-16 16:26	Christian Grothoff	Target Version	=> 0.10.0
2013-11-18 15:35	Bart Polot	Note Added: 0007648
2013-11-18 15:35	Bart Polot	Status	assigned => resolved
2013-11-18 15:35	Bart Polot	Fixed in Version	=> Git master
2013-11-18 15:35	Bart Polot	Resolution	open => fixed
2013-11-18 19:09	LRN	Note Added: 0007650
2013-11-18 19:09	LRN	Status	resolved => feedback
2013-11-18 19:09	LRN	Resolution	fixed => reopened
2013-11-19 03:36	LRN	Note Added: 0007657
2013-11-19 03:36	LRN	Status	feedback => assigned
2013-11-19 16:13	Bart Polot	Note Added: 0007659
2013-11-19 16:13	Bart Polot	Status	assigned => resolved
2013-11-19 16:13	Bart Polot	Resolution	reopened => fixed
2013-11-22 11:07	LRN	Note Added: 0007675
2013-11-22 11:07	LRN	Status	resolved => feedback
2013-11-22 11:07	LRN	Resolution	fixed => reopened
2013-11-22 11:09	LRN	Note Edited: 0007675
2013-11-25 23:32	Bart Polot	Note Added: 0007684
2013-11-25 23:32	Bart Polot	Status	feedback => resolved
2013-11-25 23:32	Bart Polot	Resolution	reopened => fixed
2013-12-08 23:56	Christian Grothoff	Fixed in Version	Git master => 0.10.0
2013-12-24 20:54	Christian Grothoff	Status	resolved => closed
2014-05-09 18:34	Christian Grothoff	Category	mesh service => cadet service

View Issue Details

Activities

Issue History