From 3db1654b80615cffb3b47849d7d7b8b8d4ae82fc Mon Sep 17 00:00:00 2001 From: zhanghongyu Date: Fri, 14 Jul 2023 10:42:33 +0800 Subject: [PATCH] net/local: remove client from server.lc_waiters when client close if client is a noblocking socket, user can do close when server has not yet invoke accept interface, so we need remove this socket from server.lc_waiters. avoid server socket access the freed memory. ==936564==ERROR: AddressSanitizer: heap-use-after-free on address 0xf23071c8 at pc 0x58eaac3b bp 0xf0b9e218 sp 0xf0b9e208 READ of size 4 at 0xf23071c8 thread T0 #0 0x58eaac3a in dq_remfirst queue/dq_remfirst.c:45 #1 0x58fd1efe in local_accept local/local_accept.c:141 #2 0x58f66df6 in psock_accept socket/accept.c:149 #3 0x58f672a4 in accept4 socket/accept.c:280 #4 0x5be9ee0c in accept net/lib_accept.c:50 #5 0x592d6a5d in uv__accept libuv/src/unix/core.c:502 #6 0x5930d83b in uv__server_io libuv/src/unix/stream.c:550 #7 0x592efbde in uv__io_poll libuv/src/unix/posix-poll.c:335 #8 0x592d649a in uv_run libuv/src/unix/core.c:387 #9 0x5a7180f7 in service_schedule_loop service/common/service_loop.c:146 #10 0x591f300b in pthread_startup pthread/pthread_create.c:59 #11 0x5be8134f in pthread_start pthread/pthread_create.c:139 #12 0x58ee2762 in pre_start sim/sim_initialstate.c:53 Signed-off-by: zhanghongyu --- net/local/local_release.c | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/net/local/local_release.c b/net/local/local_release.c index d269945d61..575b90a528 100644 --- a/net/local/local_release.c +++ b/net/local/local_release.c @@ -66,9 +66,37 @@ int local_release(FAR struct local_conn_s *conn) DEBUGASSERT(conn->lc_state != LOCAL_STATE_ACCEPT); + if (conn->lc_state == LOCAL_STATE_CONNECTING) + { + FAR struct local_conn_s *server = NULL; + FAR struct local_conn_s *client; + FAR dq_entry_t *waiter = NULL; + + while ((server = local_nextconn(server)) && waiter == NULL) + { + if (server->lc_state == LOCAL_STATE_LISTENING) + { + for (waiter = dq_peek(&server->u.server.lc_waiters); + waiter; + waiter = dq_next(&client->u.client.lc_waiter)) + { + if (&conn->u.client.lc_waiter == waiter) + { + dq_rem(waiter, &server->u.server.lc_waiters); + server->u.server.lc_pending--; + break; + } + + client = container_of(waiter, struct local_conn_s, + u.client.lc_waiter); + } + } + } + } + /* Is the socket is listening socket (SOCK_STREAM server) */ - if (conn->lc_state == LOCAL_STATE_LISTENING) + else if (conn->lc_state == LOCAL_STATE_LISTENING) { FAR struct local_conn_s *client; FAR dq_entry_t *waiter;