Commit 72e36078 authored by Pekka Pessi's avatar Pekka Pessi
Browse files

su_root.c: fixed race condition in su_task_execute().

Patch #1552626 by Andrzej Ciarkowski:

While running test_nua example it crashes on
su_task_execute() (called from test_nat_flush()). The
function has race condition - call to
pthread_cond_wait(frame->cond, frame->mutex); may
happen when memory pointed by frame is already
deallocated by the message dispatcher. This is clearly
visible in VC++ Debug builds, as debug version of
Windows allocator overwrites freed memory with some
rubbish, so that mutex and cond both point into
garbage. The frame probably should not be allocated as
a part of the message.

darcs-hash:20060905214600-65a35-4e95c3c1900e364e670fd4504ef54c847c425f4e.gz
parent 2bc9560d
......@@ -336,7 +336,7 @@ static void _su_task_execute(su_root_magic_t *m,
su_msg_r msg,
su_msg_arg_t *a)
{
struct su_task_execute *frame = (void *)a;
struct su_task_execute *frame = *(struct su_task_execute **)a;
pthread_mutex_lock(frame->mutex);
*frame->return_value = frame->function(frame->arg);
pthread_cond_signal(frame->cond);
......@@ -359,27 +359,33 @@ int su_task_execute(su_task_r const task,
if (!su_port_own_thread(task->sut_port)) {
#if SU_HAVE_PTHREADS
su_msg_r m = SU_MSG_R_INIT;
struct su_task_execute *frame;
struct su_task_execute frame;
if (su_msg_create(m, task, su_task_null,
_su_task_execute, (sizeof *frame)) < 0)
_su_task_execute, (sizeof &frame)) < 0)
return -1;
frame = (void *)su_msg_data(m);
pthread_mutex_init(frame->mutex, NULL);
pthread_cond_init(frame->cond, NULL);
frame->function = function;
frame->arg = arg;
frame->return_value = &value;
*(struct su_task_execute **)su_msg_data(m) = &frame;
pthread_mutex_init(frame.mutex, NULL);
pthread_cond_init(frame.cond, NULL);
frame.function = function;
frame.arg = arg;
frame.return_value = &value;
pthread_mutex_lock(frame->mutex);
pthread_mutex_lock(frame.mutex);
if (su_msg_send(m) < 0) {
su_msg_destroy(m);
pthread_mutex_unlock(frame.mutex);
pthread_mutex_destroy(frame.mutex);
pthread_cond_destroy(frame.cond);
return -1;
}
pthread_cond_wait(frame->cond, frame->mutex);
pthread_cond_wait(frame.cond, frame.mutex);
pthread_mutex_destroy(frame.mutex);
pthread_cond_destroy(frame.cond);
#else
return -1;
#endif
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment