Date: Thu, 10 Oct 1996 17:12:20 PDT From: Bill Fenner <fenner@parc.xerox.com> To: Karl Denninger <karl@mcs.net> Cc: fenner@parc.xerox.com (Bill Fenner), current@freebsd.org, hackers@freebsd.org, pst@jnx.com Subject: Re: Crash in -current (and fix) - plus NEW issue! Message-ID: <96Oct10.171224pdt.177476@crevenia.parc.xerox.com> In-Reply-To: Your message of "Thu, 10 Oct 96 16:47:04 PDT." <199610102347.SAA16950@Jupiter.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199610102347.SAA16950@Jupiter.Mcs.Net> you write:
>>From what I can see of the code the following fragment looked safe:
>
>sofree(so2);
>so2=sonewconn(so, 0);
I think this will leave the socket on the incomplete connections queue.
tcp_drop() already tries to free the socket, but sofree() refuses since
so_flags has SS_NOFDREF set. This means that it will still take up
a queue slot even though that's exactly what we're trying to avoid.
I think my suggested fix is:
if (so2) {
so2->so_flags &= ~SS_NOFDREF;
tcp_drop(sototcpcb(so2), ETIMEDOUT);
so2 = sonewconn(so, 0);
if (so2 == 0) /* can't happen? */
goto drop;
} else
goto drop;
Turning off SS_NOFDREF will let tcp_drop free the socket, and you check
to make absolutely sure that sonewconn() gave you something.
>So I inserted that in the appropriate place... We'll see what happens; I'm
>running that test kernel now on the machine which was blowing up.
I think it'll still blow up; since sofree() doesn't actually free the
socket (or remove it from the lists), the so2=sonewconn(so,0) will fail
and if you don't check the result you'll die later.
Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96Oct10.171224pdt.177476>