View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003168 | GNUnet | cadet service | public | 2013-12-08 21:58 | 2013-12-24 20:54 |
| Reporter | Christian Grothoff | Assigned To | Christian Grothoff | ||
| Priority | urgent | Severity | crash | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | Git master | ||||
| Target Version | 0.10.0 | Fixed in Version | 0.10.0 | ||
| Summary | 0003168: use-after-free in mesh | ||||
| Description | ==32293== Invalid write of size 8 ==32293== at 0x11DCD3: channel_recreate (gnunet-service-mesh_channel.c:669) ==32293== by 0x508DEC0: run_ready (scheduler.c:595) ==32293== by 0x508E812: GNUNET_SCHEDULER_run (scheduler.c:817) ==32293== by 0x509D60F: GNUNET_SERVICE_run (service.c:1478) ==32293== by 0x12F9A9: main (gnunet-service-mesh.c:161) ==32293== Address 0x7aef2d8 is 72 bytes inside a block of size 96 free'd ==32293== at 0x4C2A74C: free (vg_replace_malloc.c:468) ==32293== by 0x5052508: GNUNET_xfree_ (common_allocation.c:239) ==32293== by 0x11F299: channel_rel_free_all (gnunet-service-mesh_channel.c:927) ==32293== by 0x120AFD: GMCH_destroy (gnunet-service-mesh_channel.c:1295) ==32293== by 0x1223F9: GMCH_handle_local_destroy (gnunet-service-mesh_channel.c:1716) ==32293== by 0x125D53: handle_channel_destroy (gnunet-service-mesh_local.c:440) ==32293== by 0x50924A3: GNUNET_SERVER_inject (server.c:985) ==32293== by 0x50931B7: client_message_tokenizer_callback (server.c:1205) ==32293== by 0x5095CCA: GNUNET_SERVER_mst_receive (server_mst.c:261) ==32293== by 0x5092D70: process_incoming (server.c:1136) ==32293== by 0x505D64B: receive_ready (connection.c:1062) ==32293== by 0x508DEC0: run_ready (scheduler.c:595) ==32293== | ||||
| Steps To Reproduce | grothoff@spec:~/svn/gnunet/src/dv$ ../testbed/gnunet-testbed-profiler -c test_transport_dv_data.conf -p 10 -e 100 | ||||
| Tags | No tags attached. | ||||
|
|
Fixed in SVN 31187: cancel retry task AFTER GMT_cancel in channel_rel_free_all, as GMT_cancel may indirectly trigger a callback in gnunet-service-mesh-peer.c:952 which may then CREATE a new task which would then dangle. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2013-12-08 21:58 | Christian Grothoff | New Issue | |
| 2013-12-08 21:58 | Christian Grothoff | Status | new => assigned |
| 2013-12-08 21:58 | Christian Grothoff | Assigned To | => Bart Polot |
| 2013-12-08 22:25 | Christian Grothoff | Relationship added | child of 0001795 |
| 2013-12-08 23:32 | Christian Grothoff | Note Added: 0007790 | |
| 2013-12-08 23:32 | Christian Grothoff | Status | assigned => resolved |
| 2013-12-08 23:32 | Christian Grothoff | Fixed in Version | => 0.10.0 |
| 2013-12-08 23:32 | Christian Grothoff | Resolution | open => fixed |
| 2013-12-08 23:32 | Christian Grothoff | Assigned To | Bart Polot => Christian Grothoff |
| 2013-12-24 20:54 | Christian Grothoff | Status | resolved => closed |
| 2014-05-09 18:34 | Christian Grothoff | Category | mesh service => cadet service |
