Opened 12 years ago

Closed 11 years ago

#489 closed defect (fixed)

answer_preprocess() may access deallocated phone structure

Reported by: Jakub Jermář Owned by: Jakub Jermář
Priority: major Milestone: 0.6.0
Component: helenos/kernel/generic Version: mainline
Keywords: ipc Cc:
Blocker for: Depends on:
See also:

Description

In answer_preprocess(), there is:

        if ((native_t) IPC_GET_RETVAL(answer->data) == EHANGUP) {
                /* In case of forward, hangup the forwared phone,
                 * not the originator
                 */
                mutex_lock(&answer->data.phone->lock);
                irq_spinlock_lock(&TASK->answerbox.lock, true);
                if (answer->data.phone->state == IPC_PHONE_CONNECTED) {
                        list_remove(&answer->data.phone->link);
                        answer->data.phone->state = IPC_PHONE_SLAMMED;
                }
                irq_spinlock_unlock(&TASK->answerbox.lock, true);
                mutex_unlock(&answer->data.phone->lock);
        }

The problem is that if indeed the call has been forwarded and masqueraded, the forwarder task may or may not be still alive when the final recipient decides to answer it. If the forwarder is not alive, answer_preprocess() will attempt to lock a mutex in unallocated memory.

Change History (2)

comment:1 by Jakub Jermář, 12 years ago

I will try to think of a way to fix this in lp:~jakub/helenos/camp2012.

comment:2 by Jakub Jermář, 11 years ago

Resolution: fixed
Status: newclosed

The memory corruption problem was fixed in mainline,1665. A proper approach to this problem remains an open question however.

Note: See TracTickets for help on using tickets.