[Xorp-hackers] Crash due to stale cached xrl sender pointer.
Bruce Simpson
bms at incunabulum.net
Thu Oct 29 11:34:08 PDT 2009
Ben Greear wrote:
> ...
> Please note that the sender will be marked in-active, so the XRL will
> not actually
> try to use it, but if the memory is gone, then it can't even check the
> foo->active()
> flag w/out crashing.
>
> It seems a pretty simple use-after-free bug, and the fix seems pretty
> trivial to me.
I'm pleased that you've found an issue, and come up with a fix that
appears to work for you in the here and now. I would also class part of
the issue you've run into as a design bug in XRL, and have tried to
explain (as best I can) why I believe that is the case.
I would prefer to know what the root cause of the transport pointer
being invalidated is; this is mostly so that I can avoid introducing a
similar situation in new code.
However, I'm concerned that the suggested fix, actually makes the code
more difficult to read than it already is. I'm not happy with ref_ptr,
and it has been a source of problems for me in the past.
Of course, it's worth bearing in mind that I am looking at this from a
very critical viewpoint at the moment. ;-)
cheers,
BMS
More information about the Xorp-hackers
mailing list