diff mbox

Crashing in tcp_close

Message ID 20161111220911.GC2417@var.home
State New
Headers show

Commit Message

Samuel Thibault Nov. 11, 2016, 10:09 p.m. UTC 
Brian Candler, on Fri 11 Nov 2016 20:53:12 +0000, wrote:
> On 11/11/2016 16:17, Samuel Thibault wrote:
> >Could you increase the value given to valgrind's --num-callers= so we
> >can make sure the context of this call?
> 
> OK: re-run with --num-callers=250. It took a few iterations, but I captured
> it again. (I have grepped out all the "invalid file descriptor" lines).

Thanks!

> ==1217== Thread 1:
> ==1217== Invalid read of size 4
> ==1217==    at 0x550B5B: if_start (if.c:230)
> ==1217==    by 0x5550E2: slirp_pollfds_poll (slirp.c:770)
> ==1217==    by 0x5891EB: main_loop_wait (main-loop.c:508)
> ==1217==    by 0x2F4430: main_loop (vl.c:1908)
> ==1217==    by 0x2F4430: main (vl.c:4604)

Ooh, I see.  Now it's obvious, now that it's not coming from the tcb
loop :) Could you try the attached patch?

Samuel

Comments

Brian Candler Nov. 12, 2016, 9:33 a.m. UTC | #1 
On 11/11/2016 22:09, Samuel Thibault wrote:
> Ooh, I see.  Now it's obvious, now that it's not coming from the tcb
> loop:)  Could you try the attached patch?

It looks like it now goes into an infinite loop when a connection is 
closed. Packer output stopped here:

...

2016/11/12 09:29:04 ui:     qemu: Get:33 
http://us.archive.ubuntu.com/ubuntu xenial-backports/universe i386 
Packages [2,212 B]
     qemu: Get:33 http://us.archive.ubuntu.com/ubuntu 
xenial-backports/universe i386 Packages [2,212 B]
2016/11/12 09:29:04 ui:     qemu: Get:34 
http://us.archive.ubuntu.com/ubuntu xenial-backports/universe 
Translation-en [1,144 B]
     qemu: Get:34 http://us.archive.ubuntu.com/ubuntu 
xenial-backports/universe Translation-en [1,144 B]

top shows:

  4828 nsrc      20   0 4688860 796236   9136 R 100.0  2.4 0:30.16 
qemu-system-x86

strace doesn't show anything:

# strace -p 4828
strace: Process 4828 attached
strace: [ Process PID=4828 runs in x32 mode. ]

So I sent a SIGABRT, here is the backtrace:

Core was generated by `/usr/local/bin/qemu-system-x86_64 -m 4G -drive 
if=none,file=output-qemu-vtp-nmm'.
Program terminated with signal SIGABRT, Aborted.
#0  sofree (so=so@entry=0x564b181fc940) at 
/home/nsrc/qemu-2.7.0/slirp/socket.c:74
74        if (ifm->ifq_so == so) {
[Current thread is 1 (Thread 0x7f9308610a80 (LWP 4828))]
(gdb) bt
#0  sofree (so=so@entry=0x564b181fc940) at 
/home/nsrc/qemu-2.7.0/slirp/socket.c:74
#1  0x0000564b14d8428f in tcp_close (tp=tp@entry=0x564b16287590)
     at /home/nsrc/qemu-2.7.0/slirp/tcp_subr.c:334
#2  0x0000564b14d82dc8 in tcp_input (m=0x564b182d9000, iphlen=<optimised 
out>, inso=inso@entry=0x0,
     af=af@entry=2) at /home/nsrc/qemu-2.7.0/slirp/tcp_input.c:1201
#3  0x0000564b14d7bc2b in ip_input (m=<optimised out>, 
m@entry=0x564b182d9000)
     at /home/nsrc/qemu-2.7.0/slirp/ip_input.c:206
#4  0x0000564b14d7e440 in slirp_input (slirp=<optimised out>, 
pkt=0x7f92ba4fc412 "RU\n",
     pkt_len=pkt_len@entry=54) at /home/nsrc/qemu-2.7.0/slirp/slirp.c:867
#5  0x0000564b14d73fc0 in net_slirp_receive (nc=<optimised out>, 
buf=<optimised out>, size=54)
     at /home/nsrc/qemu-2.7.0/net/slirp.c:118
#6  0x0000564b14d69b19 in nc_sendv_compat (flags=<optimised out>, 
iovcnt=<optimised out>,
     iov=0x7ffd6b417e00, nc=0x564b16293840) at 
/home/nsrc/qemu-2.7.0/net/net.c:701
#7  qemu_deliver_packet_iov (sender=<optimised out>, flags=<optimised 
out>, iov=0x7ffd6b417e00,
     iovcnt=<optimised out>, opaque=0x564b16293840) at 
/home/nsrc/qemu-2.7.0/net/net.c:728
#8  0x0000564b14d6c8db in qemu_net_queue_deliver_iov (iovcnt=1, 
iov=0x7ffd6b417e00, flags=0,
     sender=0x564b17db26d0, queue=0x564b16293290) at 
/home/nsrc/qemu-2.7.0/net/queue.c:179
#9  qemu_net_queue_send_iov (queue=0x564b16293290, 
sender=0x564b17db26d0, flags=flags@entry=0,
     iov=iov@entry=0x7ffd6b417e00, iovcnt=iovcnt@entry=1,
     sent_cb=sent_cb@entry=0x564b14b94690 <virtio_net_tx_complete>)
     at /home/nsrc/qemu-2.7.0/net/queue.c:224
#10 0x0000564b14d6a5f3 in qemu_sendv_packet_async (sender=<optimised out>,
     iov=iov@entry=0x7ffd6b417e00, iovcnt=iovcnt@entry=1,
     sent_cb=sent_cb@entry=0x564b14b94690 <virtio_net_tx_complete>)
     at /home/nsrc/qemu-2.7.0/net/net.c:764
#11 0x0000564b14b94429 in virtio_net_flush_tx (q=q@entry=0x564b17db2600)
     at /home/nsrc/qemu-2.7.0/hw/net/virtio-net.c:1282
#12 0x0000564b14b94625 in virtio_net_tx_bh (opaque=0x564b17db2600)
     at /home/nsrc/qemu-2.7.0/hw/net/virtio-net.c:1387
#13 0x0000564b14da951d in aio_bh_call (bh=<optimised out>) at 
/home/nsrc/qemu-2.7.0/async.c:67
#14 aio_bh_poll (ctx=ctx@entry=0x564b1627e060) at 
/home/nsrc/qemu-2.7.0/async.c:95
---Type <return> to continue, or q <return> to quit---
#15 0x0000564b14db3930 in aio_dispatch (ctx=0x564b1627e060) at 
/home/nsrc/qemu-2.7.0/aio-posix.c:308
#16 0x0000564b14da93de in aio_ctx_dispatch (source=<optimised out>, 
callback=<optimised out>,
     user_data=<optimised out>) at /home/nsrc/qemu-2.7.0/async.c:234
#17 0x00007f93079121a7 in g_main_context_dispatch () from 
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#18 0x0000564b14db220b in glib_pollfds_poll () at 
/home/nsrc/qemu-2.7.0/main-loop.c:213
#19 os_host_main_loop_wait (timeout=<optimised out>) at 
/home/nsrc/qemu-2.7.0/main-loop.c:258
#20 main_loop_wait (nonblocking=<optimised out>) at 
/home/nsrc/qemu-2.7.0/main-loop.c:506
#21 0x0000564b14b1d431 in main_loop () at /home/nsrc/qemu-2.7.0/vl.c:1908
#22 main (argc=<optimised out>, argv=<optimised out>, envp=<optimised out>)
     at /home/nsrc/qemu-2.7.0/vl.c:4604
(gdb)

Regards,

Brian.
Brian Candler Nov. 12, 2016, 9:54 a.m. UTC | #2 
On 12/11/2016 09:33, Brian Candler wrote:
> So I sent a SIGABRT, here is the backtrace:

And here is some state from the core dump:

(gdb) print so
$1 = (struct socket *) 0x564b181fc940
(gdb) print *so
$2 = {so_next = 0x564b18258c60, so_prev = 0x564b181fcb00, canary1 = 
-559038737, s = 28,
   pollfds_idx = -1, slirp = 0x564b16293a70, so_m = 0x0, so_ti = 
0x564b182d9070, so_urgc = 0, fhost = {
     ss = {ss_family = 2,
       __ss_padding = 
"\fFd@\000\361\000\000\000\000\000\000\000\000^\000\000\000n", '\000' 
<repeats 19 times>, 
"\330|Ak\375\177\000\000\002\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\070|Ak\375\177\000\000\271\022\262\024KV\000\000\001\000\000\000\000\000\000\000\312\031\262\024KV\000\000\340|Ak\375\177\000\000\000\021\002?\323fZ\345\000\220-\030KV\000", 
__ss_align = 94880472217585}, sin = {
       sin_family = 2, sin_port = 17932, sin_addr = {s_addr = 4043325540},
       sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 
2, sin6_port = 17932,
       sin6_flowinfo = 4043325540, sin6_addr = {__in6_u = {
           __u6_addr8 = 
"\000\000\000\000\000\000\000\000^\000\000\000n\000\000", __u6_addr16 = 
{0, 0,
             0, 0, 94, 0, 110, 0}, __u6_addr32 = {0, 0, 94, 110}}}, 
sin6_scope_id = 0}}, lhost = {
     ss = {ss_family = 2,
       __ss_padding = 
"\231\246\n\000\002\017\000\000\000\000\000\000\000\000\320\t\032\030KV\000\000\000\021\002?\323fZ\345\214\304+\030KV\000\000\320\t\032\030KV\000\000\000\304+\030KV\000\000Y[\330\024KV\000\000\000|Ak\375\177\000\000\061\000\000\000KV\000\000\061\000\000\000KV\000\000\024\000\000\000\000\000\000\000E\000E\000\251\246\000@@\021{\355\n\000\002\017\n\000\002\003\000\000\000",
       __ss_align = 313532612711}, sin = {sin_family = 2, sin_port = 
42649, sin_addr = {
         s_addr = 251789322}, sin_zero = 
"\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 2,
       sin6_port = 42649, sin6_flowinfo = 251789322, sin6_addr = 
{__in6_u = {
           __u6_addr8 = 
"\000\000\000\000\000\000\000\000\320\t\032\030KV\000", __u6_addr16 = {0, 0,
             0, 0, 2512, 6170, 22091, 0}, __u6_addr32 = {0, 0, 
404359632, 22091}}},
       sin6_scope_id = 1057100032}}, so_iptos = 0 '\000', so_emu = 0 
'\000', so_type = 0 '\000',
   so_state = 1, so_tcpcb = 0x0, so_expire = 0, so_queued = 0, 
so_nqueued = 0, so_rcv = {sb_cc = 0,
     sb_datalen = 9000, sb_wptr = 0x564b162898c0 "\200u(\026KV",
     sb_rptr = 0x564b162898c0 "\200u(\026KV", sb_data = 0x564b162898c0 
"\200u(\026KV"}, so_snd = {
     sb_cc = 0, sb_datalen = 9000,
     sb_wptr = 0x564b162e8034 
"/3\204|\244n\217;\257|\260nMshG\351\373\211w\205\241\252\364Z\343", 
<incomplete sequence \307>,
     sb_rptr = 0x564b162e8034 
"/3\204|\244n\217;\257|\260nMshG\351\373\211w\205\241\252\364Z\343", 
<incomplete sequence \307>, sb_data = 0x564b162e7cc0 "\260\230(\026KV"}, 
extra = 0x0,
---Type <return> to continue, or q <return> to quit---
   canary2 = -1103113299}
(gdb) print so->slirp
$3 = (Slirp *) 0x564b16293a70
(gdb) print *(so->slirp)
$4 = {entry = {tqe_next = 0x0, tqe_prev = 0x564b154961a0 
<slirp_instances>}, time_fasttimo = 0,
   last_slowtimo = 549524, do_slowtimo = true, in_enabled = true, 
in6_enabled = true, vnetwork_addr = {
     s_addr = 131082}, vnetwork_mask = {s_addr = 16777215}, vhost_addr = 
{s_addr = 33685514},
   vprefix_addr6 = {__in6_u = {__u6_addr8 = "\376\300", '\000' <repeats 
13 times>, __u6_addr16 = {
         49406, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {49406, 0, 0, 0}}}, 
vprefix_len = 64 '@',
   vhost_addr6 = {__in6_u = {__u6_addr8 = "\376\300", '\000' <repeats 13 
times>, "\002",
       __u6_addr16 = {49406, 0, 0, 0, 0, 0, 0, 512}, __u6_addr32 = 
{49406, 0, 0, 33554432}}},
   vdhcp_startaddr = {s_addr = 251789322}, vnameserver_addr = {s_addr = 
50462730},
   vnameserver_addr6 = {__in6_u = {__u6_addr8 = "\376\300", '\000' 
<repeats 13 times>, "\003",
       __u6_addr16 = {49406, 0, 0, 0, 0, 0, 0, 768}, __u6_addr32 = 
{49406, 0, 0, 50331648}}},
   client_ipaddr = {s_addr = 0}, client_hostname = '\000' <repeats 32 
times>, restricted = 0,
   exec_list = 0x0, m_freelist = {qh_link = 0x564b182c9600, qh_rlink = 
0x564b182c9600}, m_usedlist = {
     qh_link = 0x564b182d9000, qh_rlink = 0x564b182bfa00}, mbuf_alloced 
= 11, if_fastq = {
     qh_link = 0x564b16293b30, qh_rlink = 0x564b16293b30}, if_batchq = 
{qh_link = 0x564b16293b40,
     qh_rlink = 0x564b16293b40}, next_m = 0x564b16293b40, if_start_busy 
= false, ipq = {frag_link = {
       next = 0x0, prev = 0x0}, ip_link = {next = 0x564b16293b69, prev = 
0x564b16293b69},
     ipq_ttl = 0 '\000', ipq_p = 0 '\000', ipq_id = 0, ipq_src = {s_addr 
= 0}, ipq_dst = {
       s_addr = 0}}, ip_id = 2123, bootp_clients = {{allocated = 1, 
macaddr = "RT\000\022\064V"}, {
       allocated = 0, macaddr = "\000\000\000\000\000"} <repeats 15 
times>}, bootp_filename = 0x0,
   vdnssearch_len = 0, vdnssearch = 0x0, tcb = {so_next = 
0x564b182be7c0, so_prev = 0x564b16295ce0,
     canary1 = 0, s = 0, pollfds_idx = 0, slirp = 0x0, so_m = 0x0, so_ti 
= 0x0, so_urgc = 0, fhost = {
       ss = {ss_family = 0, __ss_padding = '\000' <repeats 117 times>, 
__ss_align = 0}, sin = {
         sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0},
         sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family 
= 0, sin6_port = 0,
         sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000' 
<repeats 15 times>,
             __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 
0, 0, 0}}},
         sin6_scope_id = 0}}, lhost = {ss = {ss_family = 0, __ss_padding 
= '\000' <repeats 117 times>,
         __ss_align = 0}, sin = {sin_family = 0, sin_port = 0, sin_addr 
= {s_addr = 0},
         sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family 
= 0, sin6_port = 0,
         sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000' 
<repeats 15 times>,
             __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 
0, 0, 0}}},
---Type <return> to continue, or q <return> to quit---
         sin6_scope_id = 0}}, so_iptos = 0 '\000', so_emu = 0 '\000', 
so_type = 0 '\000',
     so_state = 0, so_tcpcb = 0x0, so_expire = 0, so_queued = 0, 
so_nqueued = 0, so_rcv = {sb_cc = 0,
       sb_datalen = 0, sb_wptr = 0x0, sb_rptr = 0x0, sb_data = 0x0}, 
so_snd = {sb_cc = 0,
       sb_datalen = 0, sb_wptr = 0x0, sb_rptr = 0x0, sb_data = 0x0}, 
extra = 0x0, canary2 = 0},
   tcp_last_so = 0x564b16293c20, tcp_iss = 1920001, tcp_now = 25, udb = 
{so_next = 0x564b182be600,
     so_prev = 0x564b182bdc00, canary1 = 0, s = 0, pollfds_idx = 0, 
slirp = 0x0, so_m = 0x0,
     so_ti = 0x0, so_urgc = 0, fhost = {ss = {ss_family = 0,
         __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin 
= {sin_family = 0,
         sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = 
"\000\000\000\000\000\000\000"}, sin6 = {
         sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = 
{__in6_u = {
             __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 
0, 0, 0, 0, 0, 0, 0},
             __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, lhost = 
{ss = {ss_family = 0,
         __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin 
= {sin_family = 0,
         sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = 
"\000\000\000\000\000\000\000"}, sin6 = {
         sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = 
{__in6_u = {
             __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 
0, 0, 0, 0, 0, 0, 0},
             __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, so_iptos 
= 0 '\000',
     so_emu = 0 '\000', so_type = 0 '\000', so_state = 0, so_tcpcb = 
0x0, so_expire = 0,
     so_queued = 0, so_nqueued = 0, so_rcv = {sb_cc = 0, sb_datalen = 0, 
sb_wptr = 0x0, sb_rptr = 0x0,
       sb_data = 0x0}, so_snd = {sb_cc = 0, sb_datalen = 0, sb_wptr = 
0x0, sb_rptr = 0x0,
       sb_data = 0x0}, extra = 0x0, canary2 = 0}, udp_last_so = 
0x564b182d7e00, icmp = {
     so_next = 0x564b16293f98, so_prev = 0x564b16293f98, canary1 = 0, s 
= 0, pollfds_idx = 0,
     slirp = 0x0, so_m = 0x0, so_ti = 0x0, so_urgc = 0, fhost = {ss = 
{ss_family = 0,
         __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin 
= {sin_family = 0,
         sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = 
"\000\000\000\000\000\000\000"}, sin6 = {
         sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = 
{__in6_u = {
             __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 
0, 0, 0, 0, 0, 0, 0},
             __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, lhost = 
{ss = {ss_family = 0,
         __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sin 
= {sin_family = 0,
         sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = 
"\000\000\000\000\000\000\000"}, sin6 = {
         sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = 
{__in6_u = {
---Type <return> to continue, or q <return> to quit---
             __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 
0, 0, 0, 0, 0, 0, 0},
             __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}, so_iptos 
= 0 '\000',
     so_emu = 0 '\000', so_type = 0 '\000', so_state = 0, so_tcpcb = 
0x0, so_expire = 0,
     so_queued = 0, so_nqueued = 0, so_rcv = {sb_cc = 0, sb_datalen = 0, 
sb_wptr = 0x0, sb_rptr = 0x0,
       sb_data = 0x0}, so_snd = {sb_cc = 0, sb_datalen = 0, sb_wptr = 
0x0, sb_rptr = 0x0,
       sb_data = 0x0}, extra = 0x0, canary2 = 0}, icmp_last_so = 
0x564b16293f98, tftp_prefix = 0x0,
   tftp_sessions = {{slirp = 0x0, filename = 0x0, fd = 0, client_addr = 
{ss_family = 0,
         __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, 
client_port = 0, block_nr = 0,
       timestamp = 0} <repeats 20 times>}, arp_table = {table = {{ar_hrd 
= 0, ar_pro = 0,
         ar_hln = 0 '\000', ar_pln = 0 '\000', ar_op = 0, ar_sha = 
"RT\000\022\064V",
         ar_sip = 251789322, ar_tha = "\000\000\000\000\000", ar_tip = 
0}, {ar_hrd = 0, ar_pro = 0,
         ar_hln = 0 '\000', ar_pln = 0 '\000', ar_op = 0, ar_sha = 
"\000\000\000\000\000", ar_sip = 0,
         ar_tha = "\000\000\000\000\000", ar_tip = 0} <repeats 15 
times>}, next_victim = 1},
   ndp_table = {table = {{eth_addr = "RT\000\022\064V", ip_addr = 
{__in6_u = {
             __u6_addr8 = 
"\376\200\000\000\000\000\000\000PT\000\377\376\022\064V", __u6_addr16 = {
               33022, 0, 0, 0, 21584, 65280, 4862, 22068}, __u6_addr32 = 
{33022, 0, 4278211664,
               1446253310}}}}, {eth_addr = "\000\000\000\000\000", 
ip_addr = {__in6_u = {
             __u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 
0, 0, 0, 0, 0, 0, 0},
             __u6_addr32 = {0, 0, 0, 0}}}} <repeats 15 times>}, 
next_victim = 1},
   grand = 0x564b162951c0, ra_timer = 0x564b162932d0, opaque = 
0x564b16293840}
(gdb) print so->slirp->next_m
$5 = (struct mbuf *) 0x564b16293b40
(gdb) print *(so->slirp->next_m)
$6 = {m_next = 0x564b16293b40, m_prev = 0x564b16293b40, m_nextpkt = 
0x564b16293b40, m_prevpkt = 0x0,
   m_flags = 0, m_size = 0, m_so = 0x564b16293b6900,
   m_data = 0x564b16293b6900 <error: Cannot access memory at address 
0x564b16293b6900>, m_len = 0,
   slirp = 0x84b000000000000, resolution_requested = true, 
expiration_date = 0, m_ext = 0x0,
   m_dat = 0x564b16293ba0 ""}
(gdb) print so->slirp->next_m->ifq_so
There is no member named ifq_so.
(gdb) print (so->slirp->next_m)->ifq_next
There is no member named ifq_next.

<< digs through code >> Ah OK, ifq_so and ifq_next are macros.

(gdb) print so->slirp->next_m->m_so
$8 = (struct socket *) 0x564b16293b6900
(gdb) print *(so->slirp->next_m->m_so)
Cannot access memory at address 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next
$9 = (struct mbuf *) 0x564b16293b40
(gdb) print *(so->slirp->next_m->m_next)
$10 = {m_next = 0x564b16293b40, m_prev = 0x564b16293b40, m_nextpkt = 
0x564b16293b40, m_prevpkt = 0x0,
   m_flags = 0, m_size = 0, m_so = 0x564b16293b6900,
   m_data = 0x564b16293b6900 <error: Cannot access memory at address 
0x564b16293b6900>, m_len = 0,
   slirp = 0x84b000000000000, resolution_requested = true, 
expiration_date = 0, m_ext = 0x0,
   m_dat = 0x564b16293ba0 ""}

Looks corrupt if pointers are outside accessible areas.

(gdb) print so
$16 = (struct socket *) 0x564b181fc940
(gdb) print so->slirp->next_m->m_so
$17 = (struct socket *) 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next->m_so
$18 = (struct socket *) 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next->m_next->m_so
$19 = (struct socket *) 0x564b16293b6900
(gdb) print so->slirp->next_m->m_next->m_next->m_next->m_so
$20 = (struct socket *) 0x564b16293b6900
(gdb)

There's the infinite loop.

Regards,

Brian.
diff mbox

Patch

diff --git a/slirp/socket.c b/slirp/socket.c
index 280050a..1a50d30 100644
--- a/slirp/socket.c
+++ b/slirp/socket.c
@@ -66,6 +66,13 @@  void
 sofree(struct socket *so)
 {
   Slirp *slirp = so->slirp;
+  struct mbuf *ifm;
+
+  for (ifm = slirp->next_m; ifm; ifm = ifm->ifq_next) {
+    if (ifm->ifq_so == so) {
+      ifm->ifq_so = NULL;
+    }
+  }
 
   if (so->so_emu==EMU_RSH && so->extra) {
 	sofree(so->extra);