If a flow was deallocated while there were still unprocessed events in
an fqueue, it would cause a SEGV in fqueue_next because it was not
checking the validity of the returned flow descriptor.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
---
src/lib/dev.c | 10 ++++++++--
src/lib/shm_flow_set.c | 1 -
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/lib/dev.c b/src/lib/dev.c
index b935ef86..b06c3c60 100644
--- a/src/lib/dev.c
+++ b/src/lib/dev.c
@@ -165,7 +165,7 @@ static void port_destroy(struct port * p)
while (p->state != PORT_NULL)
pthread_cond_wait(&p->state_cond, &p->state_lock);
- p->fd = -1;
+ p->fd = -1;
p->state = PORT_INIT;
pthread_mutex_unlock(&p->state_lock);
@@ -1622,6 +1622,12 @@ static int fqueue_filter(struct fqueue * fq)
pthread_rwlock_rdlock(&ai.lock);
fd = ai.ports[fq->fqueue[fq->next].flow_id].fd;
+ if (fd < 0) {
+ ++fq->next;
+ pthread_rwlock_unlock(&ai.lock);
+ continue;
+ }
+
frcti = ai.flows[fd].frcti;
if (frcti == NULL) {
pthread_rwlock_unlock(&ai.lock);
@@ -1655,7 +1661,7 @@ static int fqueue_filter(struct fqueue * fq)
++fq->next;
}
- return fq->next < fq->fqsize;
+ return 0;
}
int fqueue_next(struct fqueue * fq)
diff --git a/src/lib/shm_flow_set.c b/src/lib/shm_flow_set.c
index 25e7e32b..f8c6bb2c 100644
--- a/src/lib/shm_flow_set.c
+++ b/src/lib/shm_flow_set.c
@@ -314,7 +314,6 @@ void shm_flow_set_notify(struct shm_flow_set * set,
return;
}
-
e = fqueue_ptr(set, set->mtable[flow_id]) +
set->heads[set->mtable[flow_id]];
--
2.35.1