Date: Thu, 10 Oct 1996 19:40:50 -0500 (CDT) From: Karl Denninger <karl@Mcs.Net> To: fenner@parc.xerox.com (Bill Fenner) Cc: karl@Mcs.Net, fenner@parc.xerox.com, current@freebsd.org, hackers@freebsd.org, pst@jnx.com Subject: Re: Crash in -current (and fix) - plus NEW issue! Message-ID: <199610110040.TAA18402@Jupiter.Mcs.Net> In-Reply-To: <96Oct10.171224pdt.177476@crevenia.parc.xerox.com> from "Bill Fenner" at Oct 10, 96 05:12:20 pm
next in thread | previous in thread | raw e-mail | index | archive | help
>
> In message <199610102347.SAA16950@Jupiter.Mcs.Net> you write:
> >>From what I can see of the code the following fragment looked safe:
> >
> >sofree(so2);
> >so2=sonewconn(so, 0);
>
> I think this will leave the socket on the incomplete connections queue.
> tcp_drop() already tries to free the socket, but sofree() refuses since
> so_flags has SS_NOFDREF set. This means that it will still take up
> a queue slot even though that's exactly what we're trying to avoid.
>
> I think my suggested fix is:
>
> if (so2) {
> so2->so_flags &= ~SS_NOFDREF;
> tcp_drop(sototcpcb(so2), ETIMEDOUT);
> so2 = sonewconn(so, 0);
> if (so2 == 0) /* can't happen? */
> goto drop;
> } else
> goto drop;
>
> Turning off SS_NOFDREF will let tcp_drop free the socket, and you check
> to make absolutely sure that sonewconn() gave you something.
This blows up because the compiler claims that "so2->so_flags" is not a
member (the flag word isn't there?)
> >So I inserted that in the appropriate place... We'll see what happens; I'm
> >running that test kernel now on the machine which was blowing up.
>
> I think it'll still blow up; since sofree() doesn't actually free the
> socket (or remove it from the lists), the so2=sonewconn(so,0) will fail
> and if you don't check the result you'll die later.
>
> Bill
I'll have to look at this more closely.
--
--
Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl | T1 from $600 monthly; speeds to DS-3 available
| 23 Chicagoland Prefixes, 13 ISDN, much more
Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/
Fax: [+1 312 248-9865] | Home of Chicago's only FULL Clarinet feed!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610110040.TAA18402>