From 8d442bea4f760366b0c2bb2053e0ebf6ffa3d5c6 Mon Sep 17 00:00:00 2001 From: Rainer Toebbicke Date: Wed, 2 Jun 2004 03:49:28 +0000 Subject: [PATCH] rx-protect-queue-during-debug-20040601 FIXES 4811 "in rx_packet.c:rxi_ReceiveDebugPacket() the rx_idleServerQueue is scanned without taking a lock first. The queue_Remove macro zeroes the ->next field (luckily), but this can lead to a crash when Murphy strikes and the entry gets removed during the scan: queue_Scan will dereference 0x0 -> next. " --- src/rx/rx_packet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/rx/rx_packet.c b/src/rx/rx_packet.c index 12822bfa8..682af9354 100644 --- a/src/rx/rx_packet.c +++ b/src/rx/rx_packet.c @@ -1154,6 +1154,7 @@ rxi_ReceiveDebugPacket(register struct rx_packet *ap, osi_socket asocket, #ifndef RX_ENABLE_LOCKS tstat.waitingForPackets = rx_waitingForPackets; #endif + MUTEX_ENTER(&rx_serverPool_lock); tstat.nFreePackets = htonl(rx_nFreePackets); tstat.callsExecuted = htonl(rxi_nCalls); tstat.packetReclaims = htonl(rx_packetReclaims); @@ -1161,6 +1162,7 @@ rxi_ReceiveDebugPacket(register struct rx_packet *ap, osi_socket asocket, tstat.nWaiting = htonl(rx_nWaiting); queue_Count(&rx_idleServerQueue, np, nqe, rx_serverQueueEntry, tstat.idleThreads); + MUTEX_EXIT(&rx_serverPool_lock); tstat.idleThreads = htonl(tstat.idleThreads); tl = sizeof(struct rx_debugStats) - ap->length; if (tl > 0) -- 2.39.5