Browse code
c-rest-engine : Bad memory write fix
Change-Id: I56a642f6f36400afd0a28e2c358c4a7e63cd8abf
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4755
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Kumar Kaushik <kaushikk@vmware.com>
Kumar Kaushik authored on 2018/02/07 10:38:39Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,158 @@ |
| 0 |
+From 4c271a2f34167495ed82da3e7ada52f4808fe121 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Kumar Kaushik <kaushikk@vmware.com> |
|
| 2 |
+Date: Tue, 6 Feb 2018 16:51:09 -0800 |
|
| 3 |
+Subject: [PATCH] Fixing bad memory write bug |
|
| 4 |
+ |
|
| 5 |
+Change-Id: I483b13d2b2f99be7ebbbc77ed4f2dbf41aa7f580 |
|
| 6 |
+--- |
|
| 7 |
+ test/scripts/BUGS_TC/BUG-2052415/README | 41 ++++++++++++++ |
|
| 8 |
+ test/scripts/BUGS_TC/BUG-2052415/restclient.c | 79 +++++++++++++++++++++++++++ |
|
| 9 |
+ transport/posix/socket.c | 1 + |
|
| 10 |
+ 3 files changed, 121 insertions(+) |
|
| 11 |
+ create mode 100644 test/scripts/BUGS_TC/BUG-2052415/README |
|
| 12 |
+ create mode 100644 test/scripts/BUGS_TC/BUG-2052415/restclient.c |
|
| 13 |
+ |
|
| 14 |
+diff --git a/test/scripts/BUGS_TC/BUG-2052415/README b/test/scripts/BUGS_TC/BUG-2052415/README |
|
| 15 |
+new file mode 100644 |
|
| 16 |
+index 0000000..814a32a |
|
| 17 |
+--- /dev/null |
|
| 18 |
+@@ -0,0 +1,41 @@ |
|
| 19 |
++Bugzilla Id: 2052415 |
|
| 20 |
++ |
|
| 21 |
++Category: Catastrophic/Crash |
|
| 22 |
++ |
|
| 23 |
++Description: |
|
| 24 |
++Server crash observed when client opens number of connection and times out. No data is sent. |
|
| 25 |
++ |
|
| 26 |
++Step to reproduce: |
|
| 27 |
++ |
|
| 28 |
++Specific configuration: |
|
| 29 |
++1. Worker threads count 2. |
|
| 30 |
++2. No Secure connection required. |
|
| 31 |
++ |
|
| 32 |
++ |
|
| 33 |
++Start server( Keep it running ) |
|
| 34 |
++Refer RUN-SIMPLE-SERVER doc in test/scripts directory. (TODO) |
|
| 35 |
++ |
|
| 36 |
++Open terminal on Ubuntu VM( or any other distro) |
|
| 37 |
++1. Wget the source file from the same directory (restclient.c) |
|
| 38 |
++2. Edit SERVER_IP and SERVER_PORT macro in the source file to your server. |
|
| 39 |
++3. Compile the downloaded client source (gcc -o restclient restclient.c) |
|
| 40 |
++4. Install "parallel" on the Ubuntu distro |
|
| 41 |
++5. Run following command |
|
| 42 |
++ "seq 0 100 | parallel -j50 ./restclient" |
|
| 43 |
++ |
|
| 44 |
++ |
|
| 45 |
++Server will crash. This might take anything between couple of second to 10-15 mins. |
|
| 46 |
++ |
|
| 47 |
++ |
|
| 48 |
++ROOT CAUSE: |
|
| 49 |
++Bad memory write happened for back pointer reference for timer socket which was already freed. |
|
| 50 |
++This was reported by valgrind also. |
|
| 51 |
++ |
|
| 52 |
++Fix: |
|
| 53 |
++Setting appropiate back pointer to NULL at right place. |
|
| 54 |
++ |
|
| 55 |
++ |
|
| 56 |
++Test: |
|
| 57 |
++Ran the same test for serveral hours. No crash seen. |
|
| 58 |
++Ran under valgrind, no bad write reported. |
|
| 59 |
++All c-rest-engine BVT |
|
| 60 |
+diff --git a/test/scripts/BUGS_TC/BUG-2052415/restclient.c b/test/scripts/BUGS_TC/BUG-2052415/restclient.c |
|
| 61 |
+new file mode 100644 |
|
| 62 |
+index 0000000..a352055 |
|
| 63 |
+--- /dev/null |
|
| 64 |
+@@ -0,0 +1,79 @@ |
|
| 65 |
++/************************************************************************** |
|
| 66 |
++* This test client will open connection to server but will not send any |
|
| 67 |
++* data. This will make server to timeout and execute the timeout code |
|
| 68 |
++* path. Please refer README in the same folder for more information |
|
| 69 |
++**************************************************************************/ |
|
| 70 |
++ |
|
| 71 |
++#include <stdio.h> |
|
| 72 |
++#include <stdlib.h> |
|
| 73 |
++#include <unistd.h> |
|
| 74 |
++#include <errno.h> |
|
| 75 |
++#include <string.h> |
|
| 76 |
++#include <netdb.h> |
|
| 77 |
++#include <sys/types.h> |
|
| 78 |
++#include <netinet/in.h> |
|
| 79 |
++#include <sys/socket.h> |
|
| 80 |
++#include <arpa/inet.h> |
|
| 81 |
++#include <fcntl.h> |
|
| 82 |
++ |
|
| 83 |
++/************** EDIT THIS **************/ |
|
| 84 |
++ |
|
| 85 |
++#define SERVER_IP "172.16.127.131" |
|
| 86 |
++#define SERVER_PORT "81" |
|
| 87 |
++ |
|
| 88 |
++/***************************************/ |
|
| 89 |
++ |
|
| 90 |
++ |
|
| 91 |
++#define MAXDATASIZE 4096 |
|
| 92 |
++ |
|
| 93 |
++ |
|
| 94 |
++int main(int argc, char *argv[]) |
|
| 95 |
++{
|
|
| 96 |
++ int sockfd = -1; |
|
| 97 |
++ int nBytes = 0; |
|
| 98 |
++ char buf[MAXDATASIZE] = {0};
|
|
| 99 |
++ struct addrinfo hints, *servinfo, *p; |
|
| 100 |
++ int rv; |
|
| 101 |
++ char s[INET6_ADDRSTRLEN]; |
|
| 102 |
++ |
|
| 103 |
++again: |
|
| 104 |
++ memset(&hints, 0, sizeof(hints)); |
|
| 105 |
++ hints.ai_family = AF_UNSPEC; |
|
| 106 |
++ hints.ai_socktype = SOCK_STREAM; |
|
| 107 |
++ |
|
| 108 |
++ if ((rv = getaddrinfo(SERVER_IP, SERVER_PORT, &hints, &servinfo)) != 0) {
|
|
| 109 |
++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(rv)); |
|
| 110 |
++ return 1; |
|
| 111 |
++ } |
|
| 112 |
++ |
|
| 113 |
++ for(p = servinfo; p != NULL; p = p->ai_next) {
|
|
| 114 |
++ if ((sockfd = socket(p->ai_family, p->ai_socktype, |
|
| 115 |
++ p->ai_protocol)) == -1) {
|
|
| 116 |
++ perror("client: socket");
|
|
| 117 |
++ continue; |
|
| 118 |
++ } |
|
| 119 |
++ |
|
| 120 |
++ if (connect(sockfd, p->ai_addr, p->ai_addrlen) == -1) {
|
|
| 121 |
++ close(sockfd); |
|
| 122 |
++ perror("client: connect");
|
|
| 123 |
++ continue; |
|
| 124 |
++ } |
|
| 125 |
++ |
|
| 126 |
++ break; |
|
| 127 |
++ } |
|
| 128 |
++ |
|
| 129 |
++ if (p == NULL) {
|
|
| 130 |
++ printf("client: failed to connect\n");
|
|
| 131 |
++ return 2; |
|
| 132 |
++ } |
|
| 133 |
++ |
|
| 134 |
++ freeaddrinfo(servinfo); |
|
| 135 |
++ |
|
| 136 |
++ nBytes = read(sockfd, buf, MAXDATASIZE); |
|
| 137 |
++ |
|
| 138 |
++ close(sockfd); |
|
| 139 |
++ goto again; |
|
| 140 |
++ |
|
| 141 |
++ return 0; |
|
| 142 |
++ |
|
| 143 |
++} |
|
| 144 |
+diff --git a/transport/posix/socket.c b/transport/posix/socket.c |
|
| 145 |
+index 207075b..ec7ed3d 100644 |
|
| 146 |
+--- a/transport/posix/socket.c |
|
| 147 |
+@@ -661,6 +661,7 @@ VmSockPosixWaitForEvent( |
|
| 148 |
+ ); |
|
| 149 |
+ } |
|
| 150 |
+ } |
|
| 151 |
++ pEventSocket->pIoSocket->pTimerSocket = NULL; |
|
| 152 |
+ } |
|
| 153 |
+ |
|
| 154 |
+ /** Close and free the timer socket ****/ |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Name: c-rest-engine |
| 2 | 2 |
Summary: minimal http(s) server library |
| 3 | 3 |
Version: 1.1 |
| 4 |
-Release: 8%{?dist}
|
|
| 4 |
+Release: 9%{?dist}
|
|
| 5 | 5 |
Group: Applications/System |
| 6 | 6 |
Vendor: VMware, Inc. |
| 7 | 7 |
License: Apache 2.0 |
| ... | ... |
@@ -20,6 +20,7 @@ Patch4: ssl_shutdown.patch |
| 20 | 20 |
Patch5: minimal_request_logging.patch |
| 21 | 21 |
Patch6: connection_timeout.patch |
| 22 | 22 |
Patch7: reqLine_parsing_check.patch |
| 23 |
+Patch8: bad_mem_write.patch |
|
| 23 | 24 |
%define sha1 c-rest-engine=a25927fd98ec92df5e210cc4941fa626604636f6 |
| 24 | 25 |
|
| 25 | 26 |
%description |
| ... | ... |
@@ -46,7 +47,7 @@ development libs and header files for c-rest-engine |
| 46 | 46 |
%patch5 -p1 |
| 47 | 47 |
%patch6 -p1 |
| 48 | 48 |
%patch7 -p1 |
| 49 |
- |
|
| 49 |
+%patch8 -p1 |
|
| 50 | 50 |
|
| 51 | 51 |
%build |
| 52 | 52 |
cd build |
| ... | ... |
@@ -79,8 +80,10 @@ find %{buildroot} -name '*.la' -delete
|
| 79 | 79 |
# %doc ChangeLog README COPYING |
| 80 | 80 |
|
| 81 | 81 |
%changelog |
| 82 |
-* Wed Jan 31 2018 Kumar Kaushik <kaushikk@vmware.com> 1.1-8 |
|
| 83 |
-- Fixing timeout connection cleanup issue. |
|
| 82 |
+* Tue Feb 06 2018 Kumar Kaushik <kaushikk@vmware.com> 1.1-9 |
|
| 83 |
+- Fixing bad memory write crash. |
|
| 84 |
+* Mon Jan 29 2018 Kumar Kaushik <kaushikk@vmware.com> 1.1-8 |
|
| 85 |
+- Adding fix for timeout cleanup on IO socket. |
|
| 84 | 86 |
* Fri Dec 15 2017 Kumar Kaushik <kaushikk@vmware.com> 1.1-7 |
| 85 | 87 |
- Adding patch for minimal packet level logging. |
| 86 | 88 |
* Wed Nov 29 2017 Kumar Kaushik <kaushikk@vmware.com> 1.1-6 |