diff options
author | Sverker Eriksson <[email protected]> | 2011-10-06 11:11:00 +0200 |
---|---|---|
committer | Sverker Eriksson <[email protected]> | 2011-10-06 12:00:10 +0200 |
commit | b3e5dc8edf45dca5ffcabe5a89380b3a4947a955 (patch) | |
tree | 2a1e086e1f43d941b1d3486c87859799b8183be2 /erts/emulator/beam/erl_alloc.c | |
parent | 4e3771807535516c970b210272c89a71c34511e6 (diff) | |
download | otp-b3e5dc8edf45dca5ffcabe5a89380b3a4947a955.tar.gz otp-b3e5dc8edf45dca5ffcabe5a89380b3a4947a955.tar.bz2 otp-b3e5dc8edf45dca5ffcabe5a89380b3a4947a955.zip |
erts: Fix write-after-free bug in inet driver
Bug caught by valgrind but never confirmed as cause of a real problem.
Triggered by emulator_test/distribution_SUITE:bad_dist_structure
when bad data is received to a distribution port. Port is closed by
erts_net_message() and the freed port data is then later used when returning
to inet_drv. Everything happens in the same call to tcp_inet_input().
==32592== Invalid read of size 8
==32592== at 0x5B6D8C: tcp_deliver (inet_drv.c:8536)
==32592== by 0x5B720E: tcp_recv (inet_drv.c:8652)
==32592== by 0x5B7753: tcp_inet_input (inet_drv.c:8990)
==32592== by 0x5B7FA5: tcp_inet_drv_input (inet_drv.c:9257)
==32592== by 0x4B900C: erts_port_task_execute (erl_port_task.c:856)
==32592== by 0x4AC873: schedule (erl_process.c:5511)
==32592== by 0x5527CA: process_main (beam_emu.c:1225)
==32592== by 0x4A9958: sched_thread_func (erl_process.c:3789)
==32592== by 0x5E2971: thr_wrapper (ethread.c:106)
==32592== by 0x4FEA142: start_thread (in /lib64/libpthread-2.4.so)
==32592== by 0x52C374C: clone (in /lib64/libc-2.4.so)
==32592== Address 0x9b13ea8 is 440 bytes inside a block of size 488 free'd
==32592== at 0x4A1FE94: free (vg_replace_malloc.c:366)
==32592== by 0x58AE69: erts_sys_free (sys.c:2588)
==32592== by 0x48E54F: erts_free (erl_alloc.h:218)
==32592== by 0x497390: driver_free (io.c:3527)
==32592== by 0x5B2E77: inet_stop (inet_drv.c:7152)
==32592== by 0x5B502F: tcp_inet_stop (inet_drv.c:7855)
==32592== by 0x492E60: terminate_port (io.c:1849)
==32592== by 0x493971: erts_do_exit_port (io.c:2059)
==32592== by 0x4CEE01: erts_net_message (dist.c:1508)
==32592== by 0x496AC1: driver_output2 (io.c:3294)
==32592== by 0x5AAA69: inet_port_data (inet_drv.c:1894)
==32592== by 0x5AD57E: tcp_reply_data (inet_drv.c:3181)
==32592== by 0x5B6D84: tcp_deliver (inet_drv.c:8533)
==32592== by 0x5B720E: tcp_recv (inet_drv.c:8652)
==32592== by 0x5B7753: tcp_inet_input (inet_drv.c:8990)
Fixed by checking the negative return code earlier in tcp_deliver().
Diffstat (limited to 'erts/emulator/beam/erl_alloc.c')
0 files changed, 0 insertions, 0 deletions