00c0801743
==1729315==ERROR: AddressSanitizer: heap-use-after-free on address 0xf0501d60 at pc 0x032ffe43 bp 0xef4ed158 sp 0xef4ed148
READ of size 2 at 0xf0501d60 thread T0
#0 0x32ffe42 in nxsem_wait semaphore/sem_wait.c:94
#1 0x3548cf5 in _net_timedwait utils/net_lock.c:97
#2 0x3548f48 in net_sem_timedwait utils/net_lock.c:236
#3 0x3548f8c in net_sem_wait utils/net_lock.c:318
#4 0x350124d in local_accept local/local_accept.c:246
#5 0x3492719 in psock_accept socket/accept.c:149
#6 0x3492bcc in accept4 socket/accept.c:280
#7 0x662dc04 in accept net/lib_accept.c:50
#8 0x55c81ab in kvdb_loop kvdb/server.c:415
#9 0x55c860a in kvdbd_main kvdb/server.c:458
#10 0x33d968b in nxtask_startup sched/task_startup.c:70
#11 0x32ec039 in nxtask_start task/task_start.c:134
#12 0x34109be in pre_start sim/sim_initialstate.c:52
0xf0501d60 is located 288 bytes inside of 420-byte region [0xf0501c40,0xf0501de4)
freed by thread T0 here:
#0 0xf7aa6a3f in __interceptor_free ../../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x73aa06e in host_free sim/posix/sim_hostmemory.c:192
#2 0x34131d6 in mm_free sim/sim_heap.c:230
#3 0x3409388 in free umm_heap/umm_free.c:49
#4 0x35631f3 in local_free local/local_conn.c:225
#5 0x3563f75 in local_release local/local_release.c:129
#6 0x34f5a32 in local_close local/local_sockif.c:785
#7 0x3496ee8 in psock_close socket/net_close.c:102
#8 0x36500bc in sock_file_close socket/socket.c:115
#9 0x3635f6c in file_close vfs/fs_close.c:74
#10 0x3632439 in nx_close_from_tcb inode/fs_files.c:670
#11 0x36324f3 in nx_close inode/fs_files.c:697
#12 0x3632557 in close inode/fs_files.c:735
#13 0x55be289 in property_set_ kvdb/client.c:210
#14 0x55c0309 in property_set_int32_ kvdb/common.c:226
#15 0x55c03f5 in property_set_int32_oneway kvdb/common.c:236
Signed-off-by: ligd <liguiding1@xiaomi.com>
281 lines
8.1 KiB
C
281 lines
8.1 KiB
C
/****************************************************************************
|
|
* net/local/local_accept.c
|
|
*
|
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership. The
|
|
* ASF licenses this file to you under the Apache License, Version 2.0 (the
|
|
* "License"); you may not use this file except in compliance with the
|
|
* License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
* License for the specific language governing permissions and limitations
|
|
* under the License.
|
|
*
|
|
****************************************************************************/
|
|
|
|
/****************************************************************************
|
|
* Included Files
|
|
****************************************************************************/
|
|
|
|
#include <nuttx/config.h>
|
|
#if defined(CONFIG_NET) && defined(CONFIG_NET_LOCAL_STREAM)
|
|
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
#include <assert.h>
|
|
#include <debug.h>
|
|
|
|
#include <nuttx/nuttx.h>
|
|
#include <nuttx/queue.h>
|
|
#include <nuttx/net/net.h>
|
|
|
|
#include "socket/socket.h"
|
|
#include "local/local.h"
|
|
|
|
/****************************************************************************
|
|
* Private Functions
|
|
****************************************************************************/
|
|
|
|
/****************************************************************************
|
|
* Name: local_waitlisten
|
|
****************************************************************************/
|
|
|
|
static int local_waitlisten(FAR struct local_conn_s *server)
|
|
{
|
|
int ret;
|
|
|
|
/* Loop until a connection is requested or we receive a signal */
|
|
|
|
while (dq_empty(&server->u.server.lc_waiters))
|
|
{
|
|
/* No.. wait for a connection or a signal */
|
|
|
|
ret = net_sem_wait(&server->lc_waitsem);
|
|
if (ret < 0)
|
|
{
|
|
return ret;
|
|
}
|
|
}
|
|
|
|
/* There is a client waiting for the connection */
|
|
|
|
return OK;
|
|
}
|
|
|
|
/****************************************************************************
|
|
* Public Functions
|
|
****************************************************************************/
|
|
|
|
/****************************************************************************
|
|
* Name: local_accept
|
|
*
|
|
* Description:
|
|
* This function implements accept() for Unix domain sockets. See the
|
|
* description of accept() for further information.
|
|
*
|
|
* Input Parameters:
|
|
* psock The listening Unix domain socket structure
|
|
* addr Receives the address of the connecting client
|
|
* addrlen Input: allocated size of 'addr',
|
|
* Return: returned size of 'addr'
|
|
* newconn The new, accepted Unix domain connection structure
|
|
*
|
|
* Returned Value:
|
|
* Returns zero (OK) on success or a negated errno value on failure.
|
|
* See the description of accept of the possible errno values in the
|
|
* description of accept().
|
|
*
|
|
* Assumptions:
|
|
* Network is NOT locked.
|
|
*
|
|
****************************************************************************/
|
|
|
|
int local_accept(FAR struct socket *psock, FAR struct sockaddr *addr,
|
|
FAR socklen_t *addrlen, FAR struct socket *newsock,
|
|
int flags)
|
|
{
|
|
FAR struct local_conn_s *server;
|
|
FAR struct local_conn_s *client;
|
|
FAR struct local_conn_s *conn;
|
|
FAR dq_entry_t *waiter;
|
|
bool nonblock = !!(flags & SOCK_NONBLOCK);
|
|
int ret;
|
|
|
|
/* Some sanity checks */
|
|
|
|
DEBUGASSERT(newsock && !newsock->s_conn);
|
|
|
|
/* Is the socket a stream? */
|
|
|
|
if (psock->s_domain != PF_LOCAL || psock->s_type != SOCK_STREAM)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
/* Verify that a valid memory block has been provided to receive the
|
|
* address
|
|
*/
|
|
|
|
server = psock->s_conn;
|
|
|
|
if (server->lc_proto != SOCK_STREAM ||
|
|
server->lc_state != LOCAL_STATE_LISTENING)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
/* Loop as necessary if we have to wait for a connection */
|
|
|
|
for (; ; )
|
|
{
|
|
/* Are there pending connections. Remove the client from the
|
|
* head of the waiting list.
|
|
*/
|
|
|
|
waiter = dq_remfirst(&server->u.server.lc_waiters);
|
|
|
|
if (waiter)
|
|
{
|
|
client = container_of(waiter, struct local_conn_s,
|
|
u.client.lc_waiter);
|
|
|
|
local_addref(client);
|
|
|
|
/* Decrement the number of pending clients */
|
|
|
|
DEBUGASSERT(server->u.server.lc_pending > 0);
|
|
server->u.server.lc_pending--;
|
|
|
|
/* Create a new connection structure for the server side of the
|
|
* connection.
|
|
*/
|
|
|
|
conn = local_alloc();
|
|
if (!conn)
|
|
{
|
|
nerr("ERROR: Failed to allocate new connection structure\n");
|
|
ret = -ENOMEM;
|
|
}
|
|
else
|
|
{
|
|
/* Initialize the new connection structure */
|
|
|
|
local_addref(conn);
|
|
|
|
conn->lc_proto = SOCK_STREAM;
|
|
conn->lc_type = LOCAL_TYPE_PATHNAME;
|
|
conn->lc_state = LOCAL_STATE_CONNECTED;
|
|
conn->lc_psock = psock;
|
|
conn->lc_peer = client;
|
|
client->lc_peer = conn;
|
|
|
|
strlcpy(conn->lc_path, client->lc_path, sizeof(conn->lc_path));
|
|
conn->lc_instance_id = client->lc_instance_id;
|
|
|
|
/* Open the server-side write-only FIFO. This should not
|
|
* block.
|
|
*/
|
|
|
|
ret = local_open_server_tx(conn, nonblock);
|
|
if (ret < 0)
|
|
{
|
|
nerr("ERROR: Failed to open write-only FIFOs for %s: %d\n",
|
|
conn->lc_path, ret);
|
|
}
|
|
}
|
|
|
|
/* Do we have a connection? Is the write-side FIFO opened? */
|
|
|
|
if (ret == OK)
|
|
{
|
|
DEBUGASSERT(conn->lc_outfile.f_inode != NULL);
|
|
|
|
/* Open the server-side read-only FIFO. This should not
|
|
* block because the client side has already opening it
|
|
* for writing.
|
|
*/
|
|
|
|
ret = local_open_server_rx(conn, nonblock);
|
|
if (ret < 0)
|
|
{
|
|
nerr("ERROR: Failed to open read-only FIFOs for %s: %d\n",
|
|
conn->lc_path, ret);
|
|
}
|
|
}
|
|
|
|
/* Do we have a connection? Are the FIFOs opened? */
|
|
|
|
if (ret == OK)
|
|
{
|
|
DEBUGASSERT(conn->lc_infile.f_inode != NULL);
|
|
|
|
/* Return the address family */
|
|
|
|
if (addr != NULL)
|
|
{
|
|
ret = local_getaddr(client, addr, addrlen);
|
|
}
|
|
}
|
|
|
|
if (ret == OK)
|
|
{
|
|
/* Setup the client socket structure */
|
|
|
|
newsock->s_domain = psock->s_domain;
|
|
newsock->s_type = SOCK_STREAM;
|
|
newsock->s_sockif = psock->s_sockif;
|
|
newsock->s_conn = (FAR void *)conn;
|
|
}
|
|
|
|
/* Signal the client with the result of the connection */
|
|
|
|
client->u.client.lc_result = ret;
|
|
if (client->lc_state == LOCAL_STATE_CONNECTING)
|
|
{
|
|
client->lc_state = LOCAL_STATE_CONNECTED;
|
|
_SO_SETERRNO(client->lc_psock, ret);
|
|
local_event_pollnotify(client, POLLOUT);
|
|
}
|
|
|
|
nxsem_post(&client->lc_waitsem);
|
|
|
|
if (ret == OK)
|
|
{
|
|
ret = net_sem_wait(&client->lc_donesem);
|
|
}
|
|
|
|
local_subref(client);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* No.. then there should be no pending connections */
|
|
|
|
DEBUGASSERT(server->u.server.lc_pending == 0);
|
|
|
|
/* Was the socket opened non-blocking? */
|
|
|
|
if (_SS_ISNONBLOCK(server->lc_conn.s_flags))
|
|
{
|
|
/* Yes.. return EAGAIN */
|
|
|
|
return -EAGAIN;
|
|
}
|
|
|
|
/* Otherwise, listen for a connection and try again. */
|
|
|
|
ret = local_waitlisten(server);
|
|
if (ret < 0)
|
|
{
|
|
return ret;
|
|
}
|
|
}
|
|
}
|
|
|
|
#endif /* CONFIG_NET && CONFIG_NET_LOCAL_STREAM */
|