Charles E. Rolke created DISPATCH-1639:
------------------------------------------
Summary: If inbound delivery is rejected then proton may re-use
pn_delivery_t object
Key: DISPATCH-1639
URL: https://issues.apache.org/jira/browse/DISPATCH-1639
Project: Qpid Dispatch
Issue Type: Bug
Components: Router Node
Affects Versions: 1.12.0
Reporter: Charles E. Rolke
Dispatch had a crash from a double free of a qdr_delivery_t object.
Internally the proton subsystem delivers the rejected delivery and succeeding
delivery the in the context of the same pn_delivery. This causes an indexing
error in dispatch that leads to a use-after-free crash while attempting to
clean up and delete the qdr_delivery lost by the duplicate index.
See PROTON-2198.
When a proton delivery is rejected then proton releases the pn_delivery_t
object to the free pool. Dispatch must also delete the related qdr_delivery_t
and remove the delivery association from the qd_link_ref_list_t and
qd_link_ref_t objects.
The dispatch crash was fixed by not calling pn_link_recv any more. The
connection closes and proton cleans up the inbound bytes without ever creating
another delivery.
Dispatch and proton need to agree on when proton disposes of deliveries so
dispatch can track the qdr_delivery_t objects correctly.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
