[nuttx] branch master updated: net/local: remove client from server.lc_waiters when client close

jerpelea Mon, 17 Jul 2023 00:02:29 -0700

This is an automated email from the ASF dual-hosted git repository.

jerpelea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git



The following commit(s) were added to refs/heads/master by this push:
     new 3db1654b80 net/local: remove client from server.lc_waiters when client 
close
3db1654b80 is described below

commit 3db1654b80615cffb3b47849d7d7b8b8d4ae82fc
Author: zhanghongyu <zhanghon...@xiaomi.com>
AuthorDate: Fri Jul 14 10:42:33 2023 +0800

    net/local: remove client from server.lc_waiters when client close
    
    if client is a noblocking socket, user can do close when server has not yet
    invoke accept interface, so we need remove this socket from 
server.lc_waiters.
    avoid server socket access the freed memory.
    
    ==936564==ERROR: AddressSanitizer: heap-use-after-free on address 
0xf23071c8 at pc 0x58eaac3b bp 0xf0b9e218 sp 0xf0b9e208
    READ of size 4 at 0xf23071c8 thread T0
        #0 0x58eaac3a in dq_remfirst queue/dq_remfirst.c:45
        #1 0x58fd1efe in local_accept local/local_accept.c:141
        #2 0x58f66df6 in psock_accept socket/accept.c:149
        #3 0x58f672a4 in accept4 socket/accept.c:280
        #4 0x5be9ee0c in accept net/lib_accept.c:50
        #5 0x592d6a5d in uv__accept libuv/src/unix/core.c:502
        #6 0x5930d83b in uv__server_io libuv/src/unix/stream.c:550
        #7 0x592efbde in uv__io_poll libuv/src/unix/posix-poll.c:335
        #8 0x592d649a in uv_run libuv/src/unix/core.c:387
        #9 0x5a7180f7 in service_schedule_loop service/common/service_loop.c:146
        #10 0x591f300b in pthread_startup pthread/pthread_create.c:59
        #11 0x5be8134f in pthread_start pthread/pthread_create.c:139
        #12 0x58ee2762 in pre_start sim/sim_initialstate.c:53
    
    Signed-off-by: zhanghongyu <zhanghon...@xiaomi.com>
---
 net/local/local_release.c | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/net/local/local_release.c b/net/local/local_release.c
index d269945d61..575b90a528 100644
--- a/net/local/local_release.c
+++ b/net/local/local_release.c
@@ -66,9 +66,37 @@ int local_release(FAR struct local_conn_s *conn)
 
   DEBUGASSERT(conn->lc_state != LOCAL_STATE_ACCEPT);
 
+  if (conn->lc_state == LOCAL_STATE_CONNECTING)
+    {
+      FAR struct local_conn_s *server = NULL;
+      FAR struct local_conn_s *client;
+      FAR dq_entry_t *waiter = NULL;
+
+      while ((server = local_nextconn(server)) && waiter == NULL)
+        {
+          if (server->lc_state == LOCAL_STATE_LISTENING)
+            {
+              for (waiter = dq_peek(&server->u.server.lc_waiters);
+                   waiter;
+                   waiter = dq_next(&client->u.client.lc_waiter))
+                {
+                  if (&conn->u.client.lc_waiter == waiter)
+                    {
+                      dq_rem(waiter, &server->u.server.lc_waiters);
+                      server->u.server.lc_pending--;
+                      break;
+                    }
+
+                  client = container_of(waiter, struct local_conn_s,
+                                        u.client.lc_waiter);
+                }
+            }
+        }
+    }
+
   /* Is the socket is listening socket (SOCK_STREAM server) */
 
-  if (conn->lc_state == LOCAL_STATE_LISTENING)
+  else if (conn->lc_state == LOCAL_STATE_LISTENING)
     {
       FAR struct local_conn_s *client;
       FAR dq_entry_t *waiter;

[nuttx] branch master updated: net/local: remove client from server.lc_waiters when client close

Reply via email to