diff options
| author | Brad Fitzpatrick <bradfitz@android.com> | 2011-03-17 17:14:46 -0700 | 
|---|---|---|
| committer | Brad Fitzpatrick <bradfitz@android.com> | 2011-03-22 14:03:11 -0700 | 
| commit | 3549b0dc2829184f9911d27a6ab0cf39b19764f1 (patch) | |
| tree | 7667b9535a0f4d95d755f2e544182f04e9993879 /libsysutils | |
| parent | 13aa8ad44570bceef73115cea749b11f30888530 (diff) | |
| download | system_core-3549b0dc2829184f9911d27a6ab0cf39b19764f1.zip system_core-3549b0dc2829184f9911d27a6ab0cf39b19764f1.tar.gz system_core-3549b0dc2829184f9911d27a6ab0cf39b19764f1.tar.bz2 | |
Fix potential race introduced in Icd7f5f03
Digit wrote:
"You probably don't want to close the socket here without updating
c->socket as well. Otherwise, another thread holding a handle to the
client after the c->decRef() could end up sending a message to a
different socket, if the file descriptor index is reused by another
client in the meantime."
Change-Id: Icdefb5ffc0c7607325d7db761e1f04e5d868bfb7
Diffstat (limited to 'libsysutils')
| -rw-r--r-- | libsysutils/src/SocketClient.cpp | 31 | ||||
| -rw-r--r-- | libsysutils/src/SocketListener.cpp | 7 | 
2 files changed, 22 insertions, 16 deletions
| diff --git a/libsysutils/src/SocketClient.cpp b/libsysutils/src/SocketClient.cpp index 6d4dff4..90ca52e 100644 --- a/libsysutils/src/SocketClient.cpp +++ b/libsysutils/src/SocketClient.cpp @@ -104,20 +104,23 @@ int SocketClient::sendData(const void* data, int len) {  }  void SocketClient::incRef() { -  pthread_mutex_lock(&mRefCountMutex); -  mRefCount++; -  pthread_mutex_unlock(&mRefCountMutex); +    pthread_mutex_lock(&mRefCountMutex); +    mRefCount++; +    pthread_mutex_unlock(&mRefCountMutex);  } -void SocketClient::decRef() { -  bool deleteSelf = false; -  pthread_mutex_lock(&mRefCountMutex); -  mRefCount--; -  if (mRefCount == 0) { -      deleteSelf = true; -  } -  pthread_mutex_unlock(&mRefCountMutex); -  if (deleteSelf) { -      delete this; -  } +bool SocketClient::decRef() { +    bool deleteSelf = false; +    pthread_mutex_lock(&mRefCountMutex); +    mRefCount--; +    if (mRefCount == 0) { +        deleteSelf = true; +    } else if (mRefCount < 0) { +        SLOGE("SocketClient refcount went negative!"); +    } +    pthread_mutex_unlock(&mRefCountMutex); +    if (deleteSelf) { +        delete this; +    } +    return deleteSelf;  } diff --git a/libsysutils/src/SocketListener.cpp b/libsysutils/src/SocketListener.cpp index dde9b55..69ed79e 100644 --- a/libsysutils/src/SocketListener.cpp +++ b/libsysutils/src/SocketListener.cpp @@ -225,8 +225,11 @@ void SocketListener::runListener() {                  }                  pthread_mutex_unlock(&mClientsLock);                  /* Destroy the client */ -                close(c->getSocket()); -                c->decRef(); +                int socket = c->getSocket(); +                if (c->decRef()) { +                    // Note: 'c' is deleted memory at this point. +                    close(socket); +                }              }          }      } | 
