From: James Prestwood <prestwoj@gmail.com>
To: iwd@lists.01.org
Subject: [PATCH 01/10] frame-xchg: fix bug when starting new xchg from callback
Date: Tue, 02 Jun 2020 10:30:12 -0700 [thread overview]
Message-ID: <20200602173021.20085-2-prestwoj@gmail.com> (raw)
In-Reply-To: <20200602173021.20085-1-prestwoj@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1577 bytes --]
This bug is caused by the following behavior:
1. Start a frame-xchg, wait for callback
2. From callback start a new frame-xchg, same prefix.
The new frame-xchg request will detect that there is a duplicate watch,
which is correct behavior. It will then remove this duplicate from the
watchlist. The issue here is that we are in the watchlist notify loop
from the original xchg. This causes that loop to read from the now
freed watchlist item, causing an invalid read.
Instead of freeing the item immediately, check if the notify loop is in
progress and only set 'id' to zero and 'stale_items' to true. This will
allow the notify loop to finish, then the watchlist code will prune out
any stale items. If not in the notify loop the item can be freed as it
was before.
---
src/frame-xchg.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/frame-xchg.c b/src/frame-xchg.c
index 4c950fd3..71751ca4 100644
--- a/src/frame-xchg.c
+++ b/src/frame-xchg.c
@@ -532,7 +532,17 @@ static bool frame_watch_check_duplicate(void *data, void *user_data)
}
drop:
- /* Drop the existing watch as a duplicate of the new one */
+ /*
+ * Drop the existing watch as a duplicate of the new one. If we are in
+ * the watchlist notify loop, just mark this item as stale and it will
+ * be cleaned up afterwards
+ */
+ if (watch->group->watches.in_notify) {
+ super->id = 0;
+ watch->group->watches.stale_items = true;
+ return false;
+ }
+
frame_watch_free(&watch->super);
return true;
}
--
2.21.1
next prev parent reply other threads:[~2020-06-02 17:30 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-02 17:30 [PATCH 00/10] ANQP Refactor to use frame-xchg James Prestwood
2020-06-02 17:30 ` James Prestwood [this message]
2020-06-02 17:30 ` [PATCH 02/10] frame-xchg: Fix frame_watch_remove_by_handler for group 0 James Prestwood
2020-06-02 17:30 ` [PATCH 03/10] frame-xchg: Use frame_watch_group_match in frame_watch_group_get James Prestwood
2020-06-02 17:30 ` [PATCH 04/10] anqp: refactor to use frame-xchg James Prestwood
2020-06-02 17:30 ` [PATCH 05/10] station: add ANQP state watch API James Prestwood
2020-06-02 17:30 ` [PATCH 06/10] network: delay connect if ANQP has not completed James Prestwood
2020-06-02 17:30 ` [PATCH 07/10] hwsim: add new 'Delay' property to Rules James Prestwood
2020-06-08 20:15 ` Denis Kenzior
2020-06-02 17:30 ` [PATCH 08/10] doc: document new 'Delay' property for hwsim Rules James Prestwood
2020-06-02 17:30 ` [PATCH 09/10] auto-t: add 'Delay' property to hwsim python module James Prestwood
2020-06-02 17:30 ` [PATCH 10/10] auto-t: add test for delayed ANQP response James Prestwood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200602173021.20085-2-prestwoj@gmail.com \
--to=prestwoj@gmail.com \
--cc=iwd@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox