GitHub user sanhex opened a pull request:
https://github.com/apache/incubator-guacamole-server/pull/118
GUACAMOLE-384: fixing segfault during ssh disconnect
Root Cause:
In guacd, when a SSH connection is terminated,
guac_ssh_client_free_handler() will be called from guacd_exec_proc() ->
guac_client_free() with pointer client->free_handler. In
guac_ssh_client_free_handler(), when ssh_client->term is freed,
ssh_client->client_thread may still be writing to ssh_client->term. It causes
the crash reported in this bug.
The stack trace exposing the problem can be found by running guacd under
Valgrind with the ssh stress test. Valgrind report has been on Jira.
Solution:
In guac_ssh_client_free_handler(), before calling
guac_terminal_free(ssh_client->term), close the stdin pipe of the terminal to
stop reading the pipe with guac_terminal_read_stdin() in ssh_input_thread(). So
that ssh_input_thread() can be terminated in this case. Call pthread_join() to
wait for ssh_client_thread() terminating before freeing the terminal.
After closing the pipe, set the fds to -1 and check them in
guac_terminal_free() to avoid closing for twice.
Checking the client running state in ssh_input_thread() and
ssh_client_thread() to make sure they can be terminated when the client is
stopped in guacd_exec_proc() by another thread.
Test:
- Confirmed ssh connection works normally.
- Observed the child process of guacd exits when ssh connection is
terminated.
- Reran the ssh stress test. No crash.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/sanhex/incubator-guacamole-server patch-1
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-guacamole-server/pull/118.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #118
----
commit c4f96214f164e63fd52d725ef3d69f017d1455a7
Author: sanhex <[email protected]>
Date: 2017-10-18T19:08:32Z
GUACAMOLE-384: fixing segfault during ssh disconnect
Root Cause:
In guacd, when a SSH connection is terminated,
guac_ssh_client_free_handler() will be called from guacd_exec_proc() ->
guac_client_free() with pointer client->free_handler. In
guac_ssh_client_free_handler(), when ssh_client->term is freed,
ssh_client->client_thread may still be writing to ssh_client->term. It causes
the crash reported in this bug.
The stack trace exposing the problem can be found by running guacd under
Valgrind with the ssh stress test. Valgrind report has been on Jira.
Solution:
In guac_ssh_client_free_handler(), before calling
guac_terminal_free(ssh_client->term), close the stdin pipe of the terminal to
stop reading the pipe with guac_terminal_read_stdin() in ssh_input_thread(). So
that ssh_input_thread() can be terminated in this case. Call pthread_join() to
wait for ssh_client_thread() terminating before freeing the terminal.
After closing the pipe, set the fds to -1 and check them in
guac_terminal_free() to avoid closing for twice.
Checking the client running state in ssh_input_thread() and
ssh_client_thread() to make sure they can be terminated when the client is
stopped in guacd_exec_proc() by another thread.
Test:
- Confirmed ssh connection works normally.
- Observed the child process of guacd exits when ssh connection is
terminated.
- Reran the ssh stress test. No crash.
----
---
