CCI sock driver crashes when using cci_disconnect #9
Description
The patch for reproducing the problem and the valgrind output follows.
From dcd239c1c5cfc8d66cd13b0168ff4377ca825147 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Facundo=20Dom=C3=ADnguez?= <facundominguez@gmail.com>
Date: Thu, 22 Dec 2011 10:42:12 -0200
Subject: Exposes memory bug in CCI with the test programs.
compile src/test/server.c
compile src/test/client.c
Create a configuration file like the following:
$ cat config.ini
[eth1]
driver = sock
ip = 192.168.0.1
mac = 00:e0:7d:ad:95:5e
default = 1
Then run:
$ CCI_CONFIG=config.ini valgrind ./server
opened ip://192.168.0.1:38315
...
$ ./client -h ip://192.168.0.1:38315
Valgrind reports several invalid reads and the server eventually crashes
by connecting a client enough times to the same server.
---
src/tests/client.c | 2 ++
src/tests/server.c | 8 +++++++-
2 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/src/tests/client.c b/src/tests/client.c
index 2ad3415..0a1471a 100644
--- a/src/tests/client.c
+++ b/src/tests/client.c
@@ -50,6 +50,8 @@ poll_events(cci_endpoint_t * endpoint, cci_connection_t ** connection,
case CCI_EVENT_CONNECT_ACCEPTED:
*done = 1;
*connection = event->accepted.connection;
+ fprintf(stderr, "accepted %d\n",
+ (int)((uintptr_t) event->accepted.context));
break;
case CCI_EVENT_CONNECT_TIMEDOUT:
case CCI_EVENT_CONNECT_REJECTED:
diff --git a/src/tests/server.c b/src/tests/server.c
index 3070e35..e5f8087 100644
--- a/src/tests/server.c
+++ b/src/tests/server.c
@@ -47,7 +47,13 @@ int main(int argc, char *argv[])
}
printf("opened %s\n", endpoint->name);
- while (!done) {
+ while (1) {
+ if (done && connection) {
+ fprintf(stderr, "disconnecting\n");
+ cci_disconnect(connection);
+ connection = NULL;
+ }
+
int accept = 1;
cci_event_t *event;
--
1.7.2.5
sh-4.1$ CCI_CONFIG=../../../cci.ini valgrind ./server
==10872== Memcheck, a memory error detector
==10872== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==10872== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==10872== Command: ./server
==10872==
opened ip://192.168.0.1:38315
recv'd "data: 0Hello World!"
recv'd "data: 1Hello World!"
recv'd "data: 2Hello World!"
recv'd "data: 3Hello World!"
recv'd "data: 4Hello World!"
recv'd "data: 5Hello World!"
recv'd "data: 6Hello World!"
recv'd "data: 7Hello World!"
recv'd "data: 8Hello World!"
recv'd "data: 9Hello World!"
completed send
completed send
completed send
completed send
completed send
completed send
completed send
completed send
completed send
completed send
disconnecting
==10872== Invalid read of size 8
==10872== at 0x59A597C: sock_progress_pending (core_sock_api.c:1628)
==10872== by 0x59A65F6: sock_progress_sends (core_sock_api.c:1953)
==10872== by 0x59ABF92: sock_progress_dev (core_sock_api.c:3606)
==10872== by 0x59A4E94: sock_get_event (core_sock_api.c:1459)
==10872== by 0x4E2D004: cci_get_event (get_event.c:23)
==10872== by 0x400D23: main (server.c:60)
==10872== Address 0x735cd80 is 48 bytes inside a block of size 56 free'd
==10872== at 0x4C240FD: free (vg_replace_malloc.c:366)
==10872== by 0x59A4974: sock_disconnect (core_sock_api.c:1352)
==10872== by 0x4E2CDBB: cci_disconnect (disconnect.c:27)
==10872== by 0x400D01: main (server.c:53)
==10872==
==10872== Invalid read of size 8
==10872== at 0x59A5990: sock_progress_pending (core_sock_api.c:1631)
==10872== by 0x59A65F6: sock_progress_sends (core_sock_api.c:1953)
==10872== by 0x59ABF92: sock_progress_dev (core_sock_api.c:3606)
==10872== by 0x59A4E94: sock_get_event (core_sock_api.c:1459)
==10872== by 0x4E2D004: cci_get_event (get_event.c:23)
==10872== by 0x400D23: main (server.c:60)
==10872== Address 0x735cd58 is 8 bytes inside a block of size 56 free'd
==10872== at 0x4C240FD: free (vg_replace_malloc.c:366)
==10872== by 0x59A4974: sock_disconnect (core_sock_api.c:1352)
==10872== by 0x4E2CDBB: cci_disconnect (disconnect.c:27)
==10872== by 0x400D01: main (server.c:53)
==10872==
==10872== Invalid read of size 8
==10872== at 0x59A58D1: sock_progress_pending (core_sock_api.c:1730)
==10872== by 0x59A65F6: sock_progress_sends (core_sock_api.c:1953)
==10872== by 0x59ABF92: sock_progress_dev (core_sock_api.c:3606)
==10872== by 0x59A4E94: sock_get_event (core_sock_api.c:1459)
==10872== by 0x4E2D004: cci_get_event (get_event.c:23)
==10872== by 0x400D23: main (server.c:60)
==10872== Address 0x735cddc is 12 bytes inside a block of size 168 free'd
==10872== at 0x4C240FD: free (vg_replace_malloc.c:366)
==10872== by 0x59A4968: sock_disconnect (core_sock_api.c:1351)
==10872== by 0x4E2CDBB: cci_disconnect (disconnect.c:27)
==10872== by 0x400D01: main (server.c:53)
==10872==
==10872== Invalid read of size 8
==10872== at 0x59A58D5: sock_progress_pending (core_sock_api.c:1730)
==10872== by 0x59A65F6: sock_progress_sends (core_sock_api.c:1953)
==10872== by 0x59ABF92: sock_progress_dev (core_sock_api.c:3606)
==10872== by 0x59A4E94: sock_get_event (core_sock_api.c:1459)
==10872== by 0x4E2D004: cci_get_event (get_event.c:23)
==10872== by 0x400D23: main (server.c:60)
==10872== Address 0x735cde4 is 20 bytes inside a block of size 168 free'd
==10872== at 0x4C240FD: free (vg_replace_malloc.c:366)
==10872== by 0x59A4968: sock_disconnect (core_sock_api.c:1351)
==10872== by 0x4E2CDBB: cci_disconnect (disconnect.c:27)
==10872== by 0x400D01: main (server.c:53)
==10872==
==10872==
==10872== HEAP SUMMARY:
==10872== in use at exit: 9,830,028 bytes in 2,354 blocks
==10872== total heap usage: 2,383 allocs, 29 frees, 9,867,715 bytes allocated
==10872==
==10872== LEAK SUMMARY:
==10872== definitely lost: 0 bytes in 0 blocks
==10872== indirectly lost: 0 bytes in 0 blocks
==10872== possibly lost: 67,888 bytes in 16 blocks
==10872== still reachable: 9,762,140 bytes in 2,338 blocks
==10872== suppressed: 0 bytes in 0 blocks
==10872== Rerun with --leak-check=full to see details of leaked memory
==10872==
==10872== For counts of detected and suppressed errors, rerun with: -v
==10872== ERROR SUMMARY: 1127092 errors from 4 contexts (suppressed: 4 from 4)