3db1654b80
if client is a noblocking socket, user can do close when server has not yet
invoke accept interface, so we need remove this socket from server.lc_waiters.
avoid server socket access the freed memory.
==936564==ERROR: AddressSanitizer: heap-use-after-free on address 0xf23071c8 at pc 0x58eaac3b bp 0xf0b9e218 sp 0xf0b9e208
READ of size 4 at 0xf23071c8 thread T0
#0 0x58eaac3a in dq_remfirst queue/dq_remfirst.c:45
#1 0x58fd1efe in local_accept local/local_accept.c:141
#2 0x58f66df6 in psock_accept socket/accept.c:149
#3 0x58f672a4 in accept4 socket/accept.c:280
#4 0x5be9ee0c in accept net/lib_accept.c:50
#5 0x592d6a5d in uv__accept libuv/src/unix/core.c:502
#6 0x5930d83b in uv__server_io libuv/src/unix/stream.c:550
#7 0x592efbde in uv__io_poll libuv/src/unix/posix-poll.c:335
#8 0x592d649a in uv_run libuv/src/unix/core.c:387
#9 0x5a7180f7 in service_schedule_loop service/common/service_loop.c:146
#10 0x591f300b in pthread_startup pthread/pthread_create.c:59
#11 0x5be8134f in pthread_start pthread/pthread_create.c:139
#12 0x58ee2762 in pre_start sim/sim_initialstate.c:53
Signed-off-by: zhanghongyu <zhanghongyu@xiaomi.com>
135 lines
4.3 KiB
C
135 lines
4.3 KiB
C
/****************************************************************************
|
|
* net/local/local_release.c
|
|
*
|
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership. The
|
|
* ASF licenses this file to you under the Apache License, Version 2.0 (the
|
|
* "License"); you may not use this file except in compliance with the
|
|
* License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
* License for the specific language governing permissions and limitations
|
|
* under the License.
|
|
*
|
|
****************************************************************************/
|
|
|
|
/****************************************************************************
|
|
* Included Files
|
|
****************************************************************************/
|
|
|
|
#include <nuttx/config.h>
|
|
#if defined(CONFIG_NET) && defined(CONFIG_NET_LOCAL)
|
|
|
|
#include <errno.h>
|
|
#include <assert.h>
|
|
|
|
#include <nuttx/nuttx.h>
|
|
#include <nuttx/queue.h>
|
|
#include <nuttx/net/net.h>
|
|
|
|
#include <arch/irq.h>
|
|
|
|
#include "local/local.h"
|
|
|
|
/****************************************************************************
|
|
* Public Functions
|
|
****************************************************************************/
|
|
|
|
/****************************************************************************
|
|
* Name: local_release
|
|
*
|
|
* Description:
|
|
* If the local, Unix domain socket is in the connected state, then
|
|
* disconnect it. Release the local connection structure in any event
|
|
*
|
|
* Input Parameters:
|
|
* conn - A reference to local connection structure
|
|
*
|
|
****************************************************************************/
|
|
|
|
int local_release(FAR struct local_conn_s *conn)
|
|
{
|
|
/* There should be no references on this structure */
|
|
|
|
DEBUGASSERT(conn->lc_crefs == 0);
|
|
net_lock();
|
|
|
|
#ifdef CONFIG_NET_LOCAL_STREAM
|
|
/* We should not bet here with state LOCAL_STATE_ACCEPT. That is an
|
|
* internal state that should be atomic with respect to socket operations.
|
|
*/
|
|
|
|
DEBUGASSERT(conn->lc_state != LOCAL_STATE_ACCEPT);
|
|
|
|
if (conn->lc_state == LOCAL_STATE_CONNECTING)
|
|
{
|
|
FAR struct local_conn_s *server = NULL;
|
|
FAR struct local_conn_s *client;
|
|
FAR dq_entry_t *waiter = NULL;
|
|
|
|
while ((server = local_nextconn(server)) && waiter == NULL)
|
|
{
|
|
if (server->lc_state == LOCAL_STATE_LISTENING)
|
|
{
|
|
for (waiter = dq_peek(&server->u.server.lc_waiters);
|
|
waiter;
|
|
waiter = dq_next(&client->u.client.lc_waiter))
|
|
{
|
|
if (&conn->u.client.lc_waiter == waiter)
|
|
{
|
|
dq_rem(waiter, &server->u.server.lc_waiters);
|
|
server->u.server.lc_pending--;
|
|
break;
|
|
}
|
|
|
|
client = container_of(waiter, struct local_conn_s,
|
|
u.client.lc_waiter);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/* Is the socket is listening socket (SOCK_STREAM server) */
|
|
|
|
else if (conn->lc_state == LOCAL_STATE_LISTENING)
|
|
{
|
|
FAR struct local_conn_s *client;
|
|
FAR dq_entry_t *waiter;
|
|
|
|
DEBUGASSERT(conn->lc_proto == SOCK_STREAM);
|
|
|
|
/* Are there still clients waiting for a connection to the server? */
|
|
|
|
for (waiter = dq_peek(&conn->u.server.lc_waiters);
|
|
waiter;
|
|
waiter = dq_next(&client->u.client.lc_waiter))
|
|
{
|
|
client = container_of(waiter, struct local_conn_s,
|
|
u.client.lc_waiter);
|
|
client->u.client.lc_result = -ENOTCONN;
|
|
nxsem_post(&client->lc_waitsem);
|
|
local_event_pollnotify(client, POLLOUT);
|
|
}
|
|
|
|
conn->u.server.lc_pending = 0;
|
|
}
|
|
#endif /* CONFIG_NET_LOCAL_STREAM */
|
|
|
|
/* For the remaining states (LOCAL_STATE_UNBOUND and LOCAL_STATE_UNBOUND),
|
|
* we simply free the connection structure.
|
|
*/
|
|
|
|
/* Free the connection structure */
|
|
|
|
local_free(conn);
|
|
net_unlock();
|
|
return OK;
|
|
}
|
|
|
|
#endif /* CONFIG_NET && CONFIG_NET_LOCAL */
|