Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#166 closed defect (fixed)

libc: three serious __libc_tcpipops_Close4x bugs that might cause process crashes/hangs

Reported by: bird Owned by: bird
Priority: normal Milestone: libc-0.6.3
Component: libc-backend Version: 0.6.2
Severity: major Keywords: tcpip exitlist close
Cc:

Description (last modified by bird)

The tcpip close method in tcpipver.cpp doesn't unlink the socket handle when it should, i.e. when the caller will be freeing it. This may cause corruption, crashes and exitlist hangs (with high cpu load).

When the socket is in use by another process and the close method only remove it from the tcpip32.dll exit list todos, it will set rc to 1 and think it failed. This typically happens when forking or spawning (libc) children. The result of this bug is that the socket which is really close, appears as not closed and we will be attempt closing it again (at exit if not earlier). It may also be incorrectly inherited by children which will confuse them. It may also break assumptions about dup()/open() results like in cupsd.

The tcpip dll was loader after the file handles was bought over to the child process, causing all symbol resolving to fail/crash.

Change History (3)

comment:1 Changed 12 years ago by bird

  • Description modified (diff)
  • Status changed from new to assigned
  • Summary changed from libc: two serious __libc_tcpipops_Close4x bugs that might cause process crashes/hangs to libc: three serious __libc_tcpipops_Close4x bugs that might cause process crashes/hangs

comment:2 Changed 12 years ago by bird

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3372]) Fixes #166.

comment:3 Changed 12 years ago by bird

  • Component changed from baselayout to libc-backend
Note: See TracTickets for help on using tickets.