[Date Prev][Date Next]
(ITS#8232) potential crash from syncprov_op_abandon
Full_Name: Howard Chu
Submission from: (NULL) (188.8.131.52)
Submitted by: hyc
If a connection closes while syncprov_search_response is turning the current
search op into a detached psearch op, connection_abandon() may get run on the
connection while both the original and the detached copy of the op are present
on the connection queue. detach_op will append the new copy onto the end of the
connection_abandon will find the original op first, and call into
syncprov_op_abandon. syncprov_op_abandon will cause the detached copy to be
freed from the si->si_ops list (since both copies have same connid and msgid).
If there has been no other activity on the connection, then the original op's
o_next will be pointing to the detached copy. connection_abandon is using this
o_next to iterate thru the connection's queue. After syncprov frees this copy,
connection_abandon will probably SEGV.
The fix is to prevent connection_abandon from calling abandon handlers on an op
that has already been abandoned.