- fix use after free (not removing single transmit handle from queue), refactor queue logic

author: Bart Polot <bart@net.in.tum.de> 2016-08-10 18:04:51 +0000
committer: Bart Polot <bart@net.in.tum.de> 2016-08-10 18:04:51 +0000
commit: 1ad40d5fa726e7555be546a9ec3ac93fa4c64a20 (patch)
tree: 35d916adde31707156d21c3913010652ec36a188 /src/cadet/cadet_api.c
parent: 0b1e94678049f56af31622d4f75598ccc129bad0 (diff)
download: gnunet-1ad40d5fa726e7555be546a9ec3ac93fa4c64a20.tar.gz
gnunet-1ad40d5fa726e7555be546a9ec3ac93fa4c64a20.zip
1 files changed, 32 insertions, 13 deletions
diff --git a/src/cadet/cadet_api.c b/src/cadet/cadet_api.c
index 660bcea3d..6ddf4557c 100644
--- a/src/cadet/cadet_api.c
+++ b/src/cadet/cadet_api.c
@@ -485,6 +485,26 @@ add_to_queue (struct GNUNET_CADET_Handle *h,
 /**
+ * Remove a transmit handle from the transmission queue, if present.
+ *
+ * Safe to call even if not queued.
+ *
+ * @param th handle to the packet to be unqueued.
+ */
+static void
+remove_from_queue (struct GNUNET_CADET_TransmitHandle *th)
+{
+  struct GNUNET_CADET_Handle *h = th->channel->cadet;
+  /* It might or might not have been queued (rarely not), but check anyway. */
+  if (NULL != th->next || h->th_tail == th)
+  {
+    GNUNET_CONTAINER_DLL_remove (h->th_head, h->th_tail, th);
+  }
+}
+/**
 * Send an ack on the channel to confirm the processing of a message.
 *
 * @param ch Channel on which to send the ACK.
@@ -527,16 +547,21 @@ request_data (void *cls)
  size_t osize;
  LOG (GNUNET_ERROR_TYPE_DEBUG, "Requesting Data: %u bytes\n", th->size);
+  GNUNET_assert (GNUNET_YES == th->channel->allow_send);
+  th->channel->allow_send = GNUNET_NO;
  th->request_data_task = NULL;
  th->channel->packet_size = 0;
+  remove_from_queue (th);
  env = GNUNET_MQ_msg_extra (msg, th->size,
                             GNUNET_MESSAGE_TYPE_CADET_LOCAL_DATA);
  msg->id = htonl (th->channel->chid);
  osize = th->notify (th->notify_cls, th->size, &msg[1]);
  GNUNET_assert (osize == th->size);
-  th->channel->allow_send = GNUNET_NO;
  GNUNET_MQ_send (th->channel->cadet->mq, env);
-  GNUNET_CADET_notify_transmit_ready_cancel (th);
+  GNUNET_free (th);
 }
@@ -1665,13 +1690,7 @@ GNUNET_CADET_notify_transmit_ready_cancel (struct GNUNET_CADET_TransmitHandle *t
  }
  th->request_data_task = NULL;
-  /* It might or might not have been queued (rarely not), but check anyway. */
+  remove_from_queue (th);
-  if (NULL != th->next)
-  {
-    struct GNUNET_CADET_Handle *h;
-    h = th->channel->cadet;
-    GNUNET_CONTAINER_DLL_remove (h->th_head, h->th_tail, th);
-  }
  GNUNET_free (th);
 }
@@ -1689,12 +1708,12 @@ send_info_request (struct GNUNET_CADET_Handle *h, uint16_t type)
  struct GNUNET_MessageHeader *msg;
  struct GNUNET_MQ_Envelope *env;
-  env = GNUNET_MQ_msg (msg, type);
-  GNUNET_MQ_send (h->mq, env);
  LOG (GNUNET_ERROR_TYPE_DEBUG,
-       " Sending %s message to service\n",
+       " Sending %s monitor message to service\n",
       GC_m2s(type));
+  env = GNUNET_MQ_msg (msg, type);
+  GNUNET_MQ_send (h->mq, env);
 }
author	Bart Polot <bart@net.in.tum.de>	2016-08-10 18:04:51 +0000
committer	Bart Polot <bart@net.in.tum.de>	2016-08-10 18:04:51 +0000
commit	1ad40d5fa726e7555be546a9ec3ac93fa4c64a20 (patch)
tree	35d916adde31707156d21c3913010652ec36a188 /src/cadet/cadet_api.c
parent	0b1e94678049f56af31622d4f75598ccc129bad0 (diff)
download	gnunet-1ad40d5fa726e7555be546a9ec3ac93fa4c64a20.tar.gz gnunet-1ad40d5fa726e7555be546a9ec3ac93fa4c64a20.zip

diff --git a/src/cadet/cadet_api.c b/src/cadet/cadet_api.c index 660bcea3d..6ddf4557c 100644 --- a/src/cadet/cadet_api.c +++ b/src/cadet/cadet_api.c
@@ -485,6 +485,26 @@ add_to_queue (struct GNUNET_CADET_Handle *h,
485		485
486		486
487	/**	487	/**
		488	* Remove a transmit handle from the transmission queue, if present.
		489	*
		490	* Safe to call even if not queued.
		491	*
		492	* @param th handle to the packet to be unqueued.
		493	*/
		494	static void
		495	remove_from_queue (struct GNUNET_CADET_TransmitHandle *th)
		496	{
		497	struct GNUNET_CADET_Handle *h = th->channel->cadet;
		498
		499	/* It might or might not have been queued (rarely not), but check anyway. */
		500	if (NULL != th->next \|\| h->th_tail == th)
		501	{
		502	GNUNET_CONTAINER_DLL_remove (h->th_head, h->th_tail, th);
		503	}
		504	}
		505
		506
		507	/**
488	* Send an ack on the channel to confirm the processing of a message.	508	* Send an ack on the channel to confirm the processing of a message.
489	*	509	*
490	* @param ch Channel on which to send the ACK.	510	* @param ch Channel on which to send the ACK.
@@ -527,16 +547,21 @@ request_data (void *cls)
527	size_t osize;	547	size_t osize;
528		548
529	LOG (GNUNET_ERROR_TYPE_DEBUG, "Requesting Data: %u bytes\n", th->size);	549	LOG (GNUNET_ERROR_TYPE_DEBUG, "Requesting Data: %u bytes\n", th->size);
		550
		551	GNUNET_assert (GNUNET_YES == th->channel->allow_send);
		552	th->channel->allow_send = GNUNET_NO;
530	th->request_data_task = NULL;	553	th->request_data_task = NULL;
531	th->channel->packet_size = 0;	554	th->channel->packet_size = 0;
		555	remove_from_queue (th);
		556
532	env = GNUNET_MQ_msg_extra (msg, th->size,	557	env = GNUNET_MQ_msg_extra (msg, th->size,
533	GNUNET_MESSAGE_TYPE_CADET_LOCAL_DATA);	558	GNUNET_MESSAGE_TYPE_CADET_LOCAL_DATA);
534	msg->id = htonl (th->channel->chid);	559	msg->id = htonl (th->channel->chid);
535	osize = th->notify (th->notify_cls, th->size, &msg[1]);	560	osize = th->notify (th->notify_cls, th->size, &msg[1]);
536	GNUNET_assert (osize == th->size);	561	GNUNET_assert (osize == th->size);
537	th->channel->allow_send = GNUNET_NO;
538	GNUNET_MQ_send (th->channel->cadet->mq, env);	562	GNUNET_MQ_send (th->channel->cadet->mq, env);
539	GNUNET_CADET_notify_transmit_ready_cancel (th);	563
		564	GNUNET_free (th);
540	}	565	}
541		566
542		567
@@ -1665,13 +1690,7 @@ GNUNET_CADET_notify_transmit_ready_cancel (struct GNUNET_CADET_TransmitHandle *t
1665	}	1690	}
1666	th->request_data_task = NULL;	1691	th->request_data_task = NULL;
1667		1692
1668	/* It might or might not have been queued (rarely not), but check anyway. */	1693	remove_from_queue (th);
1669	if (NULL != th->next)
1670	{
1671	struct GNUNET_CADET_Handle *h;
1672	h = th->channel->cadet;
1673	GNUNET_CONTAINER_DLL_remove (h->th_head, h->th_tail, th);
1674	}
1675	GNUNET_free (th);	1694	GNUNET_free (th);
1676	}	1695	}
1677		1696
@@ -1689,12 +1708,12 @@ send_info_request (struct GNUNET_CADET_Handle *h, uint16_t type)
1689	struct GNUNET_MessageHeader *msg;	1708	struct GNUNET_MessageHeader *msg;
1690	struct GNUNET_MQ_Envelope *env;	1709	struct GNUNET_MQ_Envelope *env;
1691		1710
1692	env = GNUNET_MQ_msg (msg, type);
1693	GNUNET_MQ_send (h->mq, env);
1694
1695	LOG (GNUNET_ERROR_TYPE_DEBUG,	1711	LOG (GNUNET_ERROR_TYPE_DEBUG,
1696	" Sending %s message to service\n",	1712	" Sending %s monitor message to service\n",
1697	GC_m2s(type));	1713	GC_m2s(type));
		1714
		1715	env = GNUNET_MQ_msg (msg, type);
		1716	GNUNET_MQ_send (h->mq, env);
1698	}	1717	}
1699		1718
1700		1719