From 1bb3ecb2a5369bc1992514da3cf5ef59dca46416 Mon Sep 17 00:00:00 2001 From: Pavel TvrdĂ­k Date: Mon, 8 Feb 2016 16:08:50 +0100 Subject: Fix closing flushed channel Fix reading from freed memory. Free at: channel_set_state(c, CS_DOWN) Read at: WALK_LIST2_DELSAFE(c, n, x, tab->channels, table_node) ==00:00:00:00.261 24718== ==00:00:09:31.755 24718== Invalid read of size 8 ==00:00:09:31.755 24718== at 0x4061BA: rt_prune_table (rt-table.c:1688) ==00:00:09:31.755 24718== by 0x405D5E: rt_event (rt-table.c:1559) ==00:00:09:31.755 24718== by 0x45D089: ev_run (event.c:85) ==00:00:09:31.755 24718== by 0x45D158: ev_run_list (event.c:142) ==00:00:09:31.755 24718== by 0x462814: io_loop (io.c:2412) ==00:00:09:31.755 24718== by 0x468712: main (main.c:833) ==00:00:09:31.755 24718== Address 0x5601538 is 136 bytes inside a block of size 304 free'd ==00:00:09:31.755 24718== at 0x4C29D2A: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==00:00:09:31.755 24718== by 0x46FF3E: rfree (resource.c:166) ==00:00:09:31.755 24718== by 0x470309: mb_free (resource.c:415) ==00:00:09:31.755 24718== by 0x406A6B: rt_unlock_table (rt-table.c:1921) ==00:00:09:31.755 24718== by 0x40DAE3: channel_do_down (proto.c:297) ==00:00:09:31.755 24718== by 0x40DD46: channel_set_state (proto.c:359) ==00:00:09:31.755 24718== by 0x4061AD: rt_prune_table (rt-table.c:1692) ==00:00:09:31.755 24718== by 0x405D5E: rt_event (rt-table.c:1559) ==00:00:09:31.755 24718== by 0x45D089: ev_run (event.c:85) ==00:00:09:31.755 24718== by 0x45D158: ev_run_list (event.c:142) ==00:00:09:31.755 24718== by 0x462814: io_loop (io.c:2412) ==00:00:09:31.755 24718== by 0x468712: main (main.c:833) ==00:00:09:31.755 24718== Block was alloc'd at ==00:00:09:31.755 24718== at 0x4C28C10: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==00:00:09:31.755 24718== by 0x470FBC: bird_xmalloc (xmalloc.c:29) ==00:00:09:31.755 24718== by 0x4701E6: mb_alloc (resource.c:339) ==00:00:09:31.755 24718== by 0x406C29: rt_commit (rt-table.c:1977) ==00:00:09:31.755 24718== by 0x45C36D: config_do_commit (conf.c:269) ==00:00:09:31.755 24718== by 0x45C545: config_commit (conf.c:361) ==00:00:09:31.755 24718== by 0x4686F9: main (main.c:822) ==00:00:09:31.755 24718== --- nest/rt-table.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'nest/rt-table.c') diff --git a/nest/rt-table.c b/nest/rt-table.c index 88f60bdf..2c9c6e3a 100644 --- a/nest/rt-table.c +++ b/nest/rt-table.c @@ -1689,7 +1689,10 @@ again: if (c->flush_active) { c->flush_active = 0; - channel_set_state(c, CS_DOWN); + struct rtable_config *rtab_cf = c->table->config; + channel_set_state(c, CS_DOWN); /* Can free (struct rtable *) c->table */ + if (rtab_cf->table == NULL) + break; } return; -- cgit v1.2.3