You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2015/11/06 02:08:44 UTC

trafficserver git commit: Dereferencing a NULL pointer in SpdyClientSession::clear()

Repository: trafficserver
Updated Branches:
  refs/heads/master 4ab20913b -> de42e06ce


Dereferencing a NULL pointer in SpdyClientSession::clear()

  - At `SpdyClientSession.cc:28`, `static ClassAllocator<SpdyClientSession>
    spdyClientSessionAllocator` creates an instance of `SpdyClientSession`
    using the default constructor.
  - From that point on, `spdyClientSessionAllocator.alloc()`
    essentially calls memcpy on this prototype as an optimization to
    return new instances.
  - The regular usage of `SpdyClientSession` ensures that
    `SpdyClientSession::init()` would be called before its destructor
    is invoked. This init function sets the value of the `mutex`
    pointer inside `SpdyClientSession` from its initial value of
    `NULL`.
  - When `ClassAllocator` is being freed, the destructor on its
    `SpdyClientSession` prototype is called. However, the `mutex`
    inside the prototype is `NULL` and dereferencing it to get to
    `this->mutex->thread_holding` causes a SEGFAULT when the
    destructor is called at process exit.

This closes #323.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/de42e06c
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/de42e06c
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/de42e06c

Branch: refs/heads/master
Commit: de42e06ce863afdcc250e44511b5cd3a3674c7e5
Parents: 4ab2091
Author: Can Selcik <se...@illinois.edu>
Authored: Wed Nov 4 19:43:24 2015 -0800
Committer: James Peach <jp...@apache.org>
Committed: Thu Nov 5 17:00:38 2015 -0800

----------------------------------------------------------------------
 proxy/spdy/SpdyClientSession.cc | 3 +++
 1 file changed, 3 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de42e06c/proxy/spdy/SpdyClientSession.cc
----------------------------------------------------------------------
diff --git a/proxy/spdy/SpdyClientSession.cc b/proxy/spdy/SpdyClientSession.cc
index a54da43..c3d23b3 100644
--- a/proxy/spdy/SpdyClientSession.cc
+++ b/proxy/spdy/SpdyClientSession.cc
@@ -120,6 +120,9 @@ SpdyClientSession::init(NetVConnection *netvc)
 void
 SpdyClientSession::clear()
 {
+  if (!mutex)
+    return; // this object wasn't initialized.
+
   int last_event = event;
 
   SPDY_DECREMENT_THREAD_DYN_STAT(SPDY_STAT_CURRENT_CLIENT_SESSION_COUNT, this->mutex->thread_holding);