<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
<div class="moz-cite-prefix">On 8/16/13 4:17 PM, Jason Penton wrote:<br>
</div>
<blockquote
cite="mid:CALoGXNU28G3P9VVGucszMF5wX6GnB0Rc2sk8yOw604jtxoWNdQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>It seems to me that there is a possible race condition in
dialog module that can potentially cause segfault. Let me
explain my thinking.</div>
<div><br>
</div>
<div style="">In the dlg_timer routine we call get_expired_dlgs
(line 4). This function returns a list of dlg_tl's that have
expired. This code is executed in the timer process and I
can't see any reason why if a dialog is terminated (user hangs
up) at the same time as the expiry timer fires that the dialog
can't be nuked between lines 4 and 5 below. This will
ultimately result in segfault in the later lines (5 and
onwards) or in the specific timer_hdl callback function where
the dialog is retrieved using some pointer arithmetic....</div>
<div style=""><br>
</div>
<div style=""><span style="font-family:'courier new',monospace">1.
void dlg_timer_routine(unsigned int ticks , void * attr)</span><br>
</div>
<div>
<div><font face="courier new, monospace">2. {</font></div>
<div><font face="courier new, monospace"><span class=""
style="white-space:pre">3. </span>struct dlg_tl *tl,
*ctl;</font></div>
<div><br>
</div>
<div><font face="courier new, monospace"><span class=""
style="white-space:pre">4. </span>tl =
get_expired_dlgs( ticks );</font></div>
<div><br>
</div>
<div><font face="courier new, monospace"><span class=""
style="white-space:pre">5. </span>while (tl) {</font></div>
<div><font face="courier new, monospace"><span class=""
style="white-space:pre">6. </span>ctl = tl;</font></div>
<div><font face="courier new, monospace"><span class=""
style="white-space:pre">7. </span>tl = tl->next;</font></div>
<div><font face="courier new, monospace"><span class=""
style="white-space:pre">8. </span>ctl->next = NULL;</font></div>
<div><font face="courier new, monospace"><span class=""
style="white-space:pre">9. </span>LM_DBG("tl=%p
next=%p\n", ctl, tl);</font></div>
<div><font face="courier new, monospace"><span class=""
style="white-space:pre">10. </span>timer_hdl( ctl );</font></div>
<div><font face="courier new, monospace"><span class=""
style="white-space:pre">11. </span>}</font></div>
<div><font face="courier new, monospace">12. }</font></div>
<div><br>
</div>
<div style="">I would imagine we should look at incrementing
ref for every dlg that goes into the tl. Then unref when
removed or when fired.... (but at quick glance it looks like
there could be a few locking issues with this solution)</div>
</div>
</div>
</blockquote>
iirc, there was a counter inc for keeping the structure in the timer
list and dec for removing it, isn't like that?<br>
<br>
Cheers,<br>
Daniel<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
</pre>
</body>
</html>