Re: [patch] Accessing freed memory crash

From: Mikulas Patocka <mikulas artax karlin mff cuni cz>
To: Leonard den Ottolander <leonard den ottolander nl>
Cc: mc-devel gnome org
Subject: Re: [patch] Accessing freed memory crash
Date: Sat, 12 Aug 2006 03:35:44 +0200 (CEST)



On Sat, 12 Aug 2006, Leonard den Ottolander wrote:

Hello Mikulas,

On Fri, 2006-08-11 at 01:49 +0200, Mikulas Patocka wrote:

check_selects calls a callback when there is an event on handle. The
callback itself can remove the event with delete_select_channel --- when
it happens, check_selects accesses defunct p->next pointer and crash may
happen.


Committed using a do/while. Thanks for spotting and fixing.

Leonard.

Hi

I think the code you committed is wrong. Imagine this: you have one eventin select list and that event is set in select_set. On the first pass, youcall callback and set retry to TRUE. Callback removes the event. Youreturn to "do" cycle, now select_list is empty, you never get toretry=FALSE statement, and you loop forever with retry == TRUE.


Mikulas

SelectList *p;
gboolean retry = FALSE;

if (disabled_channels)
    return;

do
    for (p = select_list; p; p = p->next)
        if (FD_ISSET (p->fd, select_set)) {
            FD_CLR (p->fd, select_set);
            (*p->callback)(p->fd, p->info);
            retry = TRUE;
            break;
        } else
            retry = FALSE;
while (retry);

Follow-Ups:
- Re: [patch] Accessing freed memory crash
  - From: Leonard den Ottolander

References:
- [patch] Accessing freed memory crash
  - From: Mikulas Patocka
- Re: [patch] Accessing freed memory crash
  - From: Leonard den Ottolander

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]