You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Alan Conway (JIRA)" <ji...@apache.org> on 2018/04/20 19:52:15 UTC
[jira] [Created] (PROTON-1832) [c] duplicate link names cause
invalid read in pn_transport_unbind_handles
Alan Conway created PROTON-1832:
-----------------------------------
Summary: [c] duplicate link names cause invalid read in pn_transport_unbind_handles
Key: PROTON-1832
URL: https://issues.apache.org/jira/browse/PROTON-1832
Project: Qpid Proton
Issue Type: Bug
Components: proton-c
Affects Versions: proton-c-0.21.0
Reporter: Alan Conway
Assignee: Alan Conway
Fix For: proton-j-0.27.0
Proton has an invalid read error in pn_transport_unbind_handles under specific circumstances where the same name is used to create 2 different incoming links on the same session.
This patch demonstrates
{code:java}
1 file changed, 43 insertions(+), 2 deletions(-)
c/tests/connection_driver.c | 45 +++++++++++++++++++++++++++++++++++++++++++--
modified c/tests/connection_driver.c
@@ -48,6 +48,24 @@ static pn_event_type_t open_handler(test_handler_t *th, pn_event_t *e) {
return PN_EVENT_NONE;
}
+/* Like open_handler but also reply to REMOTE_CLOSE */
+static pn_event_type_t open_close_handler(test_handler_t *th, pn_event_t *e) {
+ switch (pn_event_type(e)) {
+ case PN_CONNECTION_REMOTE_CLOSE:
+ pn_connection_open(pn_event_connection(e));
+ break;
+ case PN_SESSION_REMOTE_CLOSE:
+ pn_session_open(pn_event_session(e));
+ break;
+ case PN_LINK_REMOTE_CLOSE:
+ pn_link_close(pn_event_link(e));
+ break;
+ default:
+ return open_handler(th, e);
+ }
+ return PN_EVENT_NONE;
+}
+
/* Handler that returns control on PN_DELIVERY and stores the delivery on the handler */
static pn_event_type_t delivery_handler(test_handler_t *th, pn_event_t *e) {
switch (pn_event_type(e)) {
@@ -442,6 +458,30 @@ static void test_session_flow_control(test_t *t) {
test_connection_drivers_destroy(&client, &server);
}
+/* Regression test for crash caused by using the same name for multiple links on same session. */
+static void test_duplicate_link(test_t *t) {
+ /* Set up the initial link */
+ test_connection_driver_t client, server;
+ test_connection_drivers_init(t, &client, open_close_handler, &server, open_close_handler);
+ pn_connection_open(client.driver.connection);
+ pn_session_t *ssn = pn_session(client.driver.connection);
+ pn_session_open(ssn);
+ pn_link_t *x = pn_sender(ssn, "x");
+ pn_link_open(x);
+ /* Close the link and open a new link with same name.
+ NOTE: close and duplicate open must be in the same batch of events
+ */
+ pn_link_close(x);
+ pn_link_open(pn_sender(ssn, "x"));
+ test_connection_drivers_run(&client, &server);
+ /* At this point the server has 2 handle map entries for the same link.
+ Freeing the link is correct, refcounting will keep it in memory,
+ but the extra handle map entry will cause a core dump in pn_transport_unbind_handles
+ */
+ pn_link_free(server.handler.link);
+ test_connection_drivers_destroy(&client, &server);
+}
+
int main(int argc, char **argv) {
int failed = 0;
RUN_ARGV_TEST(failed, t, test_message_transfer(&t));
@@ -449,5 +489,6 @@ int main(int argc, char **argv) {
RUN_ARGV_TEST(failed, t, test_message_abort(&t));
RUN_ARGV_TEST(failed, t, test_message_abort_mixed(&t));
RUN_ARGV_TEST(failed, t, test_session_flow_control(&t));
+ RUN_ARGV_TEST(failed, t, test_duplicate_link(&t));
return failed;
}
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org