[Openais] Library core dump using evt.

Muni Bajpai muniba at nortel.com
Sun Jan 8 11:27:28 PST 2006


Hey Steve,Mark

 

Kristen found an issue where the library dumped core in the process of
shutting down. As of now we can't reproduce it but the issue was in
saHandleInstancePut being called from saEvtEventAllocate. Looks like the
handle was corrupted or the database closed. In either case
handleDatabase->handles[handle].check caused the issue and my best guess
is accessing the array after its been deallocated.

 

There is  a check in saHandleInstancePut that I added to the other to
access functions. This seems like a good error check anyways. Now
obviously the calling functions should check the return code which is
not the case but at least we won't have invalid memory access.

 

Thanks

 

Muni

 

diff -uNr --exclude=svn --exclude=.svn --exclude=SCCS
--exclude=BitKeeper --exclude=ChangeSet --exclude=init --exclude=LICENSE
--exclude=Makefile --exclude=man --exclude=README.devmap
--exclude=SECURITY --exclude=TODO --exclude=CHANGELOG --exclude=conf
--exclude=loc --exclude=Makefile.samples --exclude=QUICKSTART
--exclude=.cdtproject --exclude=.project --exclude=nortel.patch
openais/branches/picacho/lib/util.c picacho_patch/lib/util.c

--- openais/branches/picacho/lib/util.c 2006-01-06 17:23:32 -06:00

+++ picacho_patch/lib/util.c    2006-01-08 13:23:15 -06:00

@@ -608,6 +608,11 @@

        uint32_t handle = inHandle & 0xffffffff;

 

        pthread_mutex_lock (&handleDatabase->mutex);

+

+       if (handle >= (SaUint64T)handleDatabase->handleCount) {

+                       error = SA_AIS_ERR_BAD_HANDLE;

+                       goto error_exit;

+       }

 

        if (check != handleDatabase->handles[handle].check) {

                error = SA_AIS_ERR_BAD_HANDLE;

@@ -673,6 +678,11 @@

        uint32_t handle = inHandle & 0xffffffff;

 

        pthread_mutex_lock (&handleDatabase->mutex);

+

+       if (handle >= (SaUint64T)handleDatabase->handleCount) {

+                       error = SA_AIS_ERR_BAD_HANDLE;

+                       goto error_exit;

+       }

 

        if (check != handleDatabase->handles[handle].check) {

                error = SA_AIS_ERR_BAD_HANDLE;

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/openais/attachments/20060108/d57bc9db/attachment-0001.htm


More information about the Openais mailing list