lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-devel] [bug #38288] lwip_shutdown followed by lwip_close can c

From: DipSwitch
Subject: Re: [lwip-devel] [bug #38288] lwip_shutdown followed by lwip_close can cause double free of tcp_pcb
Date: Sat, 09 Feb 2013 01:27:21 +0100
User-agent: K-9 Mail for Android
Version 1.4.1?

Ed Branch <address@hidden> wrote:
URL:
<http://savannah.nongnu.org/bugs/?38288>;

Summary: lwip_shutdown followed by lwip_close can cause
double free of tcp_pcb
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: ebranch
Submitted on: Fri 08 Feb 2013 10:09:22 PM GMT
Category: sockets/netconn
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: 
lwIP version: 1.4.1



Details:

Symtom:
Can manifest as a silent crash or one of several assertion failures, most
commonly:

FATAL: ASSERTION FAILED:
tcp_input: pcb->next != pcb (before cache)
in file ../../externals/lwip/src/core/tcp_in.c, at line 182

Can
also be detected through heap instrumentation detecting a double free from
tcp_close_shutdown().

To reproduce:
On a slow processor with a fast network connection, shutdown both sides of a
socket and then close it.
ex.
// open socket, bind, listen, accept, receive, then
shutdown(fd, SHUT_RD);
// send response, then
shutdown(fd, SHUT_WR);
close(fd);

Further information:
The error only occures with a fast network connection. On a slow network
connection I see the following sequence in the tcp layer, and all is well:
tcp_shutdown with pcb->state == CLOSE_WAIT, shut_rx == 1, shut_tx == 0
tcp_shutdown with pcb->state == CLOSE_WAIT, shut_rx == 0, shut_tx == 2
tcp_close with pcb->state == LAST_ACK
memp_free(..., pcb) from tcp_input with pcb->state == CLOSED

With a fast connection (XGbE), i see:
tcp_shutdown with pcb->state == CLOSE_WAIT, shut_rx == 1, shut_tx ==
1
tcp_shutdown with pcb->state == CLOSE_WAIT, shut_rx == 0, shut_tx == 2
memp_free(..., pcb) from tcp_input with pcb->state == CLOSED
tcp_close with pcb->state == CLOSED
memp_free(..., pcb) from tcp_close_shutdown with pcb->state == CLOSED

The TCP layer seems to initiate deallocation of the tcp_pcb in response to
shutdown of both sides, but the socket layer keeps a reference to the pcb
(through netconn) until the file descriptor is deallocated by lwip_close(), at
which point the possibly already deallocated pcb is closed by
netconn_delete().






Reply to this item at:

<http://savannah.nongnu.org/bugs/?38288>;


Message sent via/by Savannah
http://savannah.nongnu.org/



lwip-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/lwip-devel

--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]