STABLE12-rx-protect-queue-during-debug-20040601

FIXES 4811

"in rx_packet.c:rxi_ReceiveDebugPacket() the rx_idleServerQueue is
scanned without taking a lock first.

The queue_Remove macro zeroes the ->next field (luckily), but this can
lead to a crash when Murphy strikes and the entry gets removed during
the scan: queue_Scan will dereference 0x0 -> next.
"

(cherry picked from commit 8d442bea4f760366b0c2bb2053e0ebf6ffa3d5c6)

diff --git a/src/rx/rx_packet.c b/src/rx/rx_packet.c
index 6f2034b3bf388b30b76684a56b4ba9512640c1ac..4276f9d9090fced3bfed01e4ff38d689d27b48f6 100644 (file)
--- a/src/rx/rx_packet.c
+++ b/src/rx/rx_packet.c
@@ -1142,6 +1142,7 @@ struct rx_packet *rxi_ReceiveDebugPacket(ap, asocket, ahost, aport, istack)
 #ifndef        RX_ENABLE_LOCKS
            tstat.waitingForPackets = rx_waitingForPackets;
 #endif
+           MUTEX_ENTER(&rx_serverPool_lock);
            tstat.nFreePackets = htonl(rx_nFreePackets);
            tstat.callsExecuted = htonl(rxi_nCalls);
            tstat.packetReclaims = htonl(rx_packetReclaims);
@@ -1149,6 +1150,7 @@ struct rx_packet *rxi_ReceiveDebugPacket(ap, asocket, ahost, aport, istack)
            tstat.nWaiting = htonl(rx_nWaiting);
            queue_Count( &rx_idleServerQueue, np, nqe, 
                                rx_serverQueueEntry, tstat.idleThreads); 
+           MUTEX_EXIT(&rx_serverPool_lock);
            tstat.idleThreads = htonl(tstat.idleThreads);
            tl = sizeof(struct rx_debugStats) - ap->length;
            if (tl > 0)