From f7ccd84bbd306f5af9055e5ca88dbbc25ce36192 Mon Sep 17 00:00:00 2001 From: Rainer Toebbicke Date: Mon, 18 Oct 2004 06:12:45 +0000 Subject: [PATCH] STABLE12-rx-protect-queue-during-debug-20040601 FIXES 4811 "in rx_packet.c:rxi_ReceiveDebugPacket() the rx_idleServerQueue is scanned without taking a lock first. The queue_Remove macro zeroes the ->next field (luckily), but this can lead to a crash when Murphy strikes and the entry gets removed during the scan: queue_Scan will dereference 0x0 -> next. " (cherry picked from commit 8d442bea4f760366b0c2bb2053e0ebf6ffa3d5c6) --- src/rx/rx_packet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/rx/rx_packet.c b/src/rx/rx_packet.c index 6f2034b3b..4276f9d90 100644 --- a/src/rx/rx_packet.c +++ b/src/rx/rx_packet.c @@ -1142,6 +1142,7 @@ struct rx_packet *rxi_ReceiveDebugPacket(ap, asocket, ahost, aport, istack) #ifndef RX_ENABLE_LOCKS tstat.waitingForPackets = rx_waitingForPackets; #endif + MUTEX_ENTER(&rx_serverPool_lock); tstat.nFreePackets = htonl(rx_nFreePackets); tstat.callsExecuted = htonl(rxi_nCalls); tstat.packetReclaims = htonl(rx_packetReclaims); @@ -1149,6 +1150,7 @@ struct rx_packet *rxi_ReceiveDebugPacket(ap, asocket, ahost, aport, istack) tstat.nWaiting = htonl(rx_nWaiting); queue_Count( &rx_idleServerQueue, np, nqe, rx_serverQueueEntry, tstat.idleThreads); + MUTEX_EXIT(&rx_serverPool_lock); tstat.idleThreads = htonl(tstat.idleThreads); tl = sizeof(struct rx_debugStats) - ap->length; if (tl > 0) -- 2.39.5