From 30b6998337635a37db93680760637dae759c951d Mon Sep 17 00:00:00 2001 From: dimitri staessens Date: Sat, 23 Sep 2017 10:01:05 +0200 Subject: ipcpd: Fix data race in shim-udp This fixes a data race in the shim-udp where the alloc_lock was released before the ipcpi.alloc_id was set. --- src/ipcpd/shim-udp/main.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/ipcpd/shim-udp/main.c b/src/ipcpd/shim-udp/main.c index f47bb01a..d393dc4b 100644 --- a/src/ipcpd/shim-udp/main.c +++ b/src/ipcpd/shim-udp/main.c @@ -320,11 +320,12 @@ static int ipcp_udp_port_req(struct sockaddr_in * c_saddr, udp_data.fd_to_uf[fd].udp = f_saddr.sin_port; pthread_rwlock_unlock(&udp_data.flows_lock); - pthread_mutex_unlock(&ipcpi.alloc_lock); ipcpi.alloc_id = fd; pthread_cond_broadcast(&ipcpi.alloc_cond); + pthread_mutex_unlock(&ipcpi.alloc_lock); + log_dbg("Pending allocation request, fd %d, UDP port (%d, %d).", fd, ntohs(f_saddr.sin_port), ntohs(c_saddr->sin_port)); @@ -345,7 +346,7 @@ static int udp_port_to_fd(int udp_port) static int ipcp_udp_port_alloc_reply(uint16_t src_udp_port, uint16_t dst_udp_port, - int response) + int response) { int fd = -1; int ret = 0; -- cgit v1.2.3 From 17ab2b6d6bc95337d5fd54e058c0822260dbacf1 Mon Sep 17 00:00:00 2001 From: dimitri staessens Date: Sat, 23 Sep 2017 10:33:54 +0200 Subject: ipcpd: Lock dht before reading parameters --- src/ipcpd/normal/dht.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/ipcpd/normal/dht.c b/src/ipcpd/normal/dht.c index af1686a9..2e6f60ab 100644 --- a/src/ipcpd/normal/dht.c +++ b/src/ipcpd/normal/dht.c @@ -1961,7 +1961,7 @@ static int kad_handle_join_resp(struct dht * dht, return -1; } - pthread_rwlock_wrlock(&dht->lock); + pthread_rwlock_rdlock(&dht->lock); dht->buckets = bucket_create(); if (dht->buckets == NULL) { @@ -1992,8 +1992,6 @@ static int kad_handle_join_resp(struct dht * dht, kad_req_respond(req); - dht_update_bucket(dht, msg->s_id.data, msg->s_addr); - pthread_rwlock_unlock(&dht->lock); log_dbg("Enrollment of DHT completed."); @@ -2223,6 +2221,8 @@ static void * dht_handle_sdu(void * o) uint64_t addr; buffer_t buf; size_t i; + size_t b; + size_t t_expire; assert(o); @@ -2247,13 +2247,20 @@ static void * dht_handle_sdu(void * o) return (void *) -1; } - if (msg->has_key && msg->key.len != dht->b) { + pthread_rwlock_rdlock(&dht->lock); + + b = dht->b; + t_expire = dht->t_expire; + + pthread_rwlock_unlock(&dht->lock); + + if (msg->has_key && msg->key.len != b) { kad_msg__free_unpacked(msg, NULL); log_warn("Bad key in message."); return (void *) -1; } - if (msg->has_s_id && !msg->has_b && msg->s_id.len != dht->b) { + if (msg->has_s_id && !msg->has_b && msg->s_id.len != b) { kad_msg__free_unpacked(msg, NULL); log_warn("Bad source ID in message of type %d.", msg->code); return (void *) -1; @@ -2299,9 +2306,9 @@ static void * dht_handle_sdu(void * o) resp_msg.has_t_refresh = true; resp_msg.has_t_replicate = true; resp_msg.alpha = KAD_ALPHA; - resp_msg.b = dht->b; + resp_msg.b = b; resp_msg.k = KAD_K; - resp_msg.t_expire = dht->t_expire; + resp_msg.t_expire = t_expire; resp_msg.t_refresh = KAD_T_REFR; resp_msg.t_replicate = KAD_T_REPL; break; -- cgit v1.2.3