| Message ID | 20201026084527.29521-1-wojciech.jowsa@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | client: don`t clear cl->dispatch | expand |
pon., 26 paź 2020 o 09:46 <wojciech.jowsa@gmail.com> napisał(a): > > From: Wojciech Jowsa <wojciech.jowsa@gmail.com> > > A segfault occurs in ubus_cmp_id when a client > tries to subscribe to an ubus object after the > object was removed and added again. When the ubus > object is removed then a client subcribed to > this object in notified about that. This causes > following functon calls > uh_ubus_subscription_notification_remove_cb-> > uh_request_done->memset(&cl->dispatch,..) > When the object is added again and the client > subscribes to it then following funcation are > called ubus_add_object_cb-> > avl_insert->avl_find_rec-> ubus_cmp_id. > Ubus_cmp_id tries to compare keys by > dereferencing pointers but one of the pointers > was previoulsy zeroed in uh_request_done. > > Signed-off-by: Wojciech Jowsa <wojciech.jowsa@gmail.com> > --- > client.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/client.c b/client.c > index 6233d01..45cd591 100644 > --- a/client.c > +++ b/client.c > @@ -125,7 +125,6 @@ void uh_request_done(struct client *cl) > uh_chunk_eof(cl); > uh_dispatch_done(cl); > blob_buf_init(&cl->hdr_response, 0); > - memset(&cl->dispatch, 0, sizeof(cl->dispatch)); > > if (!conf.http_keepalive || cl->request.connection_close) > return uh_connection_close(cl); > -- > 2.25.1 Please ignore this patch. The proper fix for the crash can be found here: https://patchwork.ozlabs.org/project/openwrt/patch/20201115091917.7798-1-wojciech.jowsa@gmail.com/ Regards, Wojtek
diff --git a/client.c b/client.c index 6233d01..45cd591 100644 --- a/client.c +++ b/client.c @@ -125,7 +125,6 @@ void uh_request_done(struct client *cl) uh_chunk_eof(cl); uh_dispatch_done(cl); blob_buf_init(&cl->hdr_response, 0); - memset(&cl->dispatch, 0, sizeof(cl->dispatch)); if (!conf.http_keepalive || cl->request.connection_close) return uh_connection_close(cl);