Fork us on GitHub Follow us on Facebook Follow us on Twitter

Opened 7 years ago

Closed 7 years ago

#489 closed defect (fixed)

answer_preprocess() may access deallocated phone structure

Reported by: Jakub Jermář Owned by: Jakub Jermář
Priority: major Milestone: 0.6.0
Component: helenos/kernel/generic Version: mainline
Keywords: ipc Cc:
Blocker for: Depends on:
See also:

Description

In answer_preprocess(), there is:

        if ((native_t) IPC_GET_RETVAL(answer->data) == EHANGUP) {
                /* In case of forward, hangup the forwared phone,
                 * not the originator
                 */
                mutex_lock(&answer->data.phone->lock);
                irq_spinlock_lock(&TASK->answerbox.lock, true);
                if (answer->data.phone->state == IPC_PHONE_CONNECTED) {
                        list_remove(&answer->data.phone->link);
                        answer->data.phone->state = IPC_PHONE_SLAMMED;
                }
                irq_spinlock_unlock(&TASK->answerbox.lock, true);
                mutex_unlock(&answer->data.phone->lock);
        }

The problem is that if indeed the call has been forwarded and masqueraded, the forwarder task may or may not be still alive when the final recipient decides to answer it. If the forwarder is not alive, answer_preprocess() will attempt to lock a mutex in unallocated memory.

Change History (2)

comment:1 Changed 7 years ago by Jakub Jermář

I will try to think of a way to fix this in lp:~jakub/helenos/camp2012.

comment:2 Changed 7 years ago by Jakub Jermář

Resolution: fixed
Status: newclosed

The memory corruption problem was fixed in mainline,1665. A proper approach to this problem remains an open question however.

Note: See TracTickets for help on using tickets.