[lwip-devel] [bug #38288] lwip_shutdown followed by lwip

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #38288] lwip_shutdown followed by lwip_close can cause

From:	Ed Branch
Subject:	[lwip-devel] [bug #38288] lwip_shutdown followed by lwip_close can cause double free of tcp_pcb
Date:	Fri, 08 Feb 2013 22:09:24 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

URL:
  <http://savannah.nongnu.org/bugs/?38288>

                 Summary: lwip_shutdown followed by lwip_close can cause
double free of tcp_pcb
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: ebranch
            Submitted on: Fri 08 Feb 2013 10:09:22 PM GMT
                Category: sockets/netconn
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: 1.4.1

    _______________________________________________________

Details:

Symtom:
Can manifest as a silent crash or one of several assertion failures, most
commonly:

FATAL: ASSERTION FAILED:
tcp_input: pcb->next != pcb (before cache)
in file ../../externals/lwip/src/core/tcp_in.c, at line 182

Can also be detected through heap instrumentation detecting a double free from
tcp_close_shutdown().

To reproduce:
On a slow processor with a fast network connection, shutdown both sides of a
socket and then close it.
ex.
// open socket, bind, listen, accept, receive, then
shutdown(fd, SHUT_RD);
// send response, then
shutdown(fd, SHUT_WR);
close(fd);

Further information:
The error only occures with a fast network connection. On a slow network
connection I see the following sequence in the tcp layer, and all is well:
tcp_shutdown with pcb->state == CLOSE_WAIT, shut_rx == 1, shut_tx == 0
tcp_shutdown with pcb->state == CLOSE_WAIT, shut_rx == 0, shut_tx == 2
tcp_close with pcb->state == LAST_ACK
memp_free(..., pcb) from tcp_input with pcb->state == CLOSED

With a fast connection (XGbE), i see:
tcp_shutdown with pcb->state == CLOSE_WAIT, shut_rx == 1, shut_tx == 1
tcp_shutdown with pcb->state == CLOSE_WAIT, shut_rx == 0, shut_tx == 2
memp_free(..., pcb) from tcp_input with pcb->state == CLOSED
tcp_close with pcb->state == CLOSED
memp_free(..., pcb) from tcp_close_shutdown with pcb->state == CLOSED

The TCP layer seems to initiate deallocation of the tcp_pcb in response to
shutdown of both sides, but the socket layer keeps a reference to the pcb
(through netconn) until the file descriptor is deallocated by lwip_close(), at
which point the possibly already deallocated pcb is closed by
netconn_delete().




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?38288>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #38288] lwip_shutdown followed by lwip_close can cause double free of tcp_pcb, Ed Branch <=
- [lwip-devel] [bug #38288] lwip_shutdown followed by lwip_close can cause double free of tcp_pcb, Ed Branch, 2013/02/08
- Re: [lwip-devel] [bug #38288] lwip_shutdown followed by lwip_close can cause double free of tcp_pcb, DipSwitch, 2013/02/08

Prev by Date: [lwip-devel] [patch #7942] Fix for bug in IPv6 ntoa function
Next by Date: [lwip-devel] [bug #38288] lwip_shutdown followed by lwip_close can cause double free of tcp_pcb
Previous by thread: [lwip-devel] [patch #7942] Fix for bug in IPv6 ntoa function
Next by thread: [lwip-devel] [bug #38288] lwip_shutdown followed by lwip_close can cause double free of tcp_pcb
Index(es):
- Date
- Thread