lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #46696] accepts_pending not decreased when TCP_EVENT_A

From: Ambroz Bizjak
Subject: [lwip-devel] [bug #46696] accepts_pending not decreased when TCP_EVENT_ACCEPT returns error
Date: Wed, 23 Mar 2016 21:42:19 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 
Follow-up Comment #15, bug #46696 (project lwip):

Hello Simon,

I looked at your change and I think there is an issue with PCB errors as
indicated by the tcp_err callback. If there is an error after the application
has used tcp_backlog_delayed() (and before tcp_backlog_accepted()):

- It is generally unsafe to call tcp_backlog_accepted() from within the error
callback, because the PCB memory may have been already deallocated (this is
the case in 2 out of 4 possible error sources, just search for TCP_EVENT_ERR
calls).

- The netconn code does not use tcp_backlog_delayed() in its error callback
(err_tcp). This leads to a reference leak if there is an error while PCB is in
the accept queue.

I think there is also a pre-existing reference leak of accept_pending in
tcp_abandon(). This is triggered from tcp_abort(),
tcp_alloc()/tcp_kill_state() and in tcp_listen_input() if tcp_enqueue_flags
fails.

Regarding solving these issues, I suggest to change tcp_backlog_accepted() to
also set pcb->listener to NULL (enabling safe usage if called redundantly),
and call this from relevant places (tcp_pcb_purge, tcp_abandon). Maybe also in
tcp_close_shutdown in some cases but I'm not familiar with the closing logic.

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?46696>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]