On Tue, 2010-10-05 at 19:14 -0700, Aaron Fabbri wrote:
> Actually, use this patch.. it fixes an additional use-after-free.
>
>
> Index: RdmaServer.cpp
> ===================================================================
> --- RdmaServer.cpp (revision 1004875)
> +++ RdmaServer.cpp (working copy)
> @@ -118,18 +118,18 @@
> ConRec* cr = ci->getContext<ConRec>();
> cr->connection->disconnect();
> cr->data->drainWriteQueue(drained);
> + cout << "Disconnected: " << cr << "\n";
> delete cr;
> - cout << "Disconnected: " << cr << "\n";
> }
Actually this is not a use after free error in this code, but it does
look like one, and in other code it could be (as you're not the 1st to
suggest it is, I guess I need to comment it explicitly). It is only the
pointer value that get printed here, as there is no explicit operator<<
for the type.
>
> void connectionError(Rdma::Connection::intrusive_ptr& ci, Rdma::ErrorType) {
> ConRec* cr = ci->getContext<ConRec>();
> - cr->connection->disconnect();
> if (cr) {
> - cr->data->drainWriteQueue(drained);
> - delete cr;
> + cr->connection->disconnect();
> + cr->data->drainWriteQueue(drained);
> + cout << "Connection error: " << cr << "\n";
> + delete cr;
> }
> - cout << "Connection error: " << cr << "\n";
> }
There is an issue here, in that the test "if (cr)" should also protect
the disconnect, but it turns out that cr is never 0 so I've never seen
the issue! However as above the "cout << cr" is actually safe (in either
case).
Incidentally the reason to put the prints after the delete rather than
before is that the actual disconnect will happen in the delete itself,
and I wanted to note that it had happened, rather than it was about to
happen.
Andrew
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
|