Opened 12 years ago
Closed 12 years ago
#489 closed defect (fixed)
answer_preprocess() may access deallocated phone structure
| Reported by: | Jakub Jermář | Owned by: | Jakub Jermář |
|---|---|---|---|
| Priority: | major | Milestone: | 0.6.0 |
| Component: | helenos/kernel/generic | Version: | mainline |
| Keywords: | ipc | Cc: | |
| Blocker for: | Depends on: | ||
| See also: |
Description
In answer_preprocess(), there is:
if ((native_t) IPC_GET_RETVAL(answer->data) == EHANGUP) {
/* In case of forward, hangup the forwared phone,
* not the originator
*/
mutex_lock(&answer->data.phone->lock);
irq_spinlock_lock(&TASK->answerbox.lock, true);
if (answer->data.phone->state == IPC_PHONE_CONNECTED) {
list_remove(&answer->data.phone->link);
answer->data.phone->state = IPC_PHONE_SLAMMED;
}
irq_spinlock_unlock(&TASK->answerbox.lock, true);
mutex_unlock(&answer->data.phone->lock);
}
The problem is that if indeed the call has been forwarded and masqueraded, the forwarder task may or may not be still alive when the final recipient decides to answer it. If the forwarder is not alive, answer_preprocess() will attempt to lock a mutex in unallocated memory.
Change History (2)
comment:1 by , 12 years ago
comment:2 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
The memory corruption problem was fixed in mainline,1665. A proper approach to this problem remains an open question however.
Note:
See TracTickets
for help on using tickets.
I will try to think of a way to fix this in lp:~jakub/helenos/camp2012.