From: Skywing Date: Fri, 27 Jun 2008 23:13:59 +0000 (-0500) Subject: Fix reference count bug leading to memory corruption on duplicate deletions. X-Git-Tag: silc.server.1.1.13^2 X-Git-Url: http://git.silcnet.org/gitweb/?p=silc.git;a=commitdiff_plain;h=90e14dc985628e0b0f86e604d511039d302dc956 Fix reference count bug leading to memory corruption on duplicate deletions. --- diff --git a/lib/silcclient/client.c b/lib/silcclient/client.c index 7811bfa1..3ab7ba17 100644 --- a/lib/silcclient/client.c +++ b/lib/silcclient/client.c @@ -55,7 +55,7 @@ static void silc_client_connection_finished(SilcFSMThread fsm, SilcClient client = silc_fsm_get_state_context(fsm); /* Signal client that we have finished */ - silc_atomic_sub_int16(&client->internal->conns, 1); + silc_atomic_sub_int32(&client->internal->conns, 1); client->internal->connection_closed = TRUE; SILC_FSM_EVENT_SIGNAL(&client->internal->wait_event); @@ -529,7 +529,7 @@ SILC_FSM_STATE(silc_client_st_run) /* A connection finished */ SILC_LOG_DEBUG(("Event: connection closed")); client->internal->connection_closed = FALSE; - if (silc_atomic_get_int16(&client->internal->conns) == 0 && + if (silc_atomic_get_int32(&client->internal->conns) == 0 && client->internal->stop) SILC_FSM_EVENT_SIGNAL(&client->internal->wait_event); return SILC_FSM_CONTINUE; @@ -538,7 +538,7 @@ SILC_FSM_STATE(silc_client_st_run) if (client->internal->stop) { /* Stop client libarry. If we have running connections, wait until they finish first. */ - if (silc_atomic_get_int16(&client->internal->conns) == 0) { + if (silc_atomic_get_int32(&client->internal->conns) == 0) { SILC_LOG_DEBUG(("Event: stop")); silc_fsm_next(fsm, silc_client_st_stop); } @@ -674,7 +674,7 @@ silc_client_add_connection(SilcClient client, silc_fsm_start(thread, silc_client_connection_st_start); SILC_LOG_DEBUG(("New connection %p", conn)); - silc_atomic_add_int16(&client->internal->conns, 1); + silc_atomic_add_int32(&client->internal->conns, 1); return conn; } @@ -938,7 +938,7 @@ SilcClient silc_client_alloc(SilcClientOperations *ops, nickname_format[sizeof(new_client->internal-> params->nickname_format) - 1] = 0; - silc_atomic_init16(&new_client->internal->conns, 0); + silc_atomic_init32(&new_client->internal->conns, 0); return new_client; } @@ -966,7 +966,7 @@ void silc_client_free(SilcClient client) silc_dlist_uninit(client->internal->ftp_sessions); if (client->internal->lock) silc_mutex_free(client->internal->lock); - silc_atomic_uninit16(&client->internal->conns); + silc_atomic_uninit32(&client->internal->conns); silc_free(client->username); silc_free(client->hostname); silc_free(client->realname); diff --git a/lib/silcclient/client.h b/lib/silcclient/client.h index ac1116d2..ebe41fe9 100644 --- a/lib/silcclient/client.h +++ b/lib/silcclient/client.h @@ -60,7 +60,9 @@ typedef struct SilcClientEntryInternalStruct { unsigned int prv_resp : 1; /* TRUE if we are responder when using private message keys. */ SilcUInt16 resolve_cmd_ident; /* Command identifier when resolving */ - SilcAtomic8 refcnt; /* Reference counter */ + SilcAtomic32 refcnt; /* Reference counter */ + SilcAtomic32 deleted; /* Flag indicating whether the client object is + already scheduled for deletion.*/ } SilcClientEntryInternal; /* Internal channel entry context */ @@ -87,14 +89,16 @@ typedef struct SilcChannelEntryInternalStruct { stuff that relates to the channel. Not used for the channel resolving itself. */ - SilcAtomic16 refcnt; /* Reference counter */ + SilcAtomic32 refcnt; /* Reference counter */ + SilcAtomic32 deleted; /* Flag indicating whether the channel object is + already scheduled for deletion.*/ } SilcChannelEntryInternal; /* Internal server entry context */ typedef struct SilcServerEntryInternalStruct { SilcRwLock lock; /* Read/write lock */ SilcUInt16 resolve_cmd_ident; /* Resolving identifier */ - SilcAtomic8 refcnt; /* Reference counter */ + SilcAtomic32 refcnt; /* Reference counter */ } SilcServerEntryInternal; #endif /* CLIENT_H */ diff --git a/lib/silcclient/client_entry.c b/lib/silcclient/client_entry.c index 0933c3d4..bdcdd1ca 100644 --- a/lib/silcclient/client_entry.c +++ b/lib/silcclient/client_entry.c @@ -791,7 +791,8 @@ SilcClientEntry silc_client_add_client(SilcClient client, return NULL; silc_rwlock_alloc(&client_entry->internal.lock); - silc_atomic_init8(&client_entry->internal.refcnt, 0); + silc_atomic_init32(&client_entry->internal.refcnt, 0); + silc_atomic_init32(&client_entry->internal.deleted, 1); client_entry->id = *id; client_entry->mode = mode; client_entry->realname = userinfo ? strdup(userinfo) : NULL; @@ -995,7 +996,8 @@ void silc_client_del_client_entry(SilcClient client, silc_client_ftp_session_free_client(client, client_entry); if (client_entry->internal.ke) silc_client_abort_key_agreement(client, conn, client_entry); - silc_atomic_uninit8(&client_entry->internal.refcnt); + silc_atomic_uninit32(&client_entry->internal.deleted); + silc_atomic_uninit32(&client_entry->internal.refcnt); silc_rwlock_free(client_entry->internal.lock); silc_free(client_entry); } @@ -1005,30 +1007,19 @@ void silc_client_del_client_entry(SilcClient client, SilcBool silc_client_del_client(SilcClient client, SilcClientConnection conn, SilcClientEntry client_entry) { - SilcBool ret; - if (!client_entry) return FALSE; - if (silc_atomic_sub_int8(&client_entry->internal.refcnt, 1) > 0) - return FALSE; - - SILC_LOG_DEBUG(("Deleting client %p", client_entry)); - - silc_mutex_lock(conn->internal->lock); - ret = silc_idcache_del_by_context(conn->internal->client_cache, - client_entry, NULL); - silc_mutex_unlock(conn->internal->lock); - - if (ret) { - /* Remove from channels */ - silc_client_remove_from_channels(client, conn, client_entry); - - /* Free the client entry data */ - silc_client_del_client_entry(client, conn, client_entry); + if (silc_atomic_sub_int32(&client_entry->internal.deleted, 1) != 0) + { + SILC_LOG_DEBUG(("** WARNING ** Deleting a client twice %p", client_entry)); +// asm("int3"); + return FALSE; } - return ret; + silc_client_unref_client(client, conn, client_entry); + return TRUE; + } /* Internal routine used to find client by ID and if not found this creates @@ -1072,10 +1063,10 @@ SilcClientEntry silc_client_ref_client(SilcClient client, SilcClientConnection conn, SilcClientEntry client_entry) { - silc_atomic_add_int8(&client_entry->internal.refcnt, 1); + silc_atomic_add_int32(&client_entry->internal.refcnt, 1); SILC_LOG_DEBUG(("Client %p refcnt %d->%d", client_entry, - silc_atomic_get_int8(&client_entry->internal.refcnt) - 1, - silc_atomic_get_int8(&client_entry->internal.refcnt))); + silc_atomic_get_int32(&client_entry->internal.refcnt) - 1, + silc_atomic_get_int32(&client_entry->internal.refcnt))); return client_entry; } @@ -1085,10 +1076,30 @@ void silc_client_unref_client(SilcClient client, SilcClientConnection conn, SilcClientEntry client_entry) { if (client_entry) { + SilcBool ret; + SILC_LOG_DEBUG(("Client %p refcnt %d->%d", client_entry, - silc_atomic_get_int8(&client_entry->internal.refcnt), - silc_atomic_get_int8(&client_entry->internal.refcnt) - 1)); - silc_client_del_client(client, conn, client_entry); + silc_atomic_get_int32(&client_entry->internal.refcnt), + silc_atomic_get_int32(&client_entry->internal.refcnt) - 1)); + + if (silc_atomic_sub_int32(&client_entry->internal.refcnt, 1) > 0) + return; + + SILC_LOG_DEBUG(("Deleting client %p (%d)", client_entry, + silc_atomic_get_int32(&client_entry->internal.deleted))); + + silc_mutex_lock(conn->internal->lock); + ret = silc_idcache_del_by_context(conn->internal->client_cache, + client_entry, NULL); + silc_mutex_unlock(conn->internal->lock); + + if (ret) { + /* Remove from channels */ + silc_client_remove_from_channels(client, conn, client_entry); + + /* Free the client entry data */ + silc_client_del_client_entry(client, conn, client_entry); + } } } @@ -1626,7 +1637,8 @@ SilcChannelEntry silc_client_add_channel(SilcClient client, return NULL; silc_rwlock_alloc(&channel->internal.lock); - silc_atomic_init16(&channel->internal.refcnt, 0); + silc_atomic_init32(&channel->internal.refcnt, 0); + silc_atomic_init32(&channel->internal.deleted, 1); channel->id = *channel_id; channel->mode = mode; @@ -1639,7 +1651,7 @@ SilcChannelEntry silc_client_add_channel(SilcClient client, if (!channel->channel_name) { silc_rwlock_free(channel->internal.lock); - silc_atomic_uninit16(&channel->internal.refcnt); + silc_atomic_uninit32(&channel->internal.refcnt); silc_free(channel); return NULL; } @@ -1648,7 +1660,7 @@ SilcChannelEntry silc_client_add_channel(SilcClient client, NULL, NULL, NULL, TRUE); if (!channel->user_list) { silc_rwlock_free(channel->internal.lock); - silc_atomic_uninit16(&channel->internal.refcnt); + silc_atomic_uninit32(&channel->internal.refcnt); silc_free(channel->channel_name); silc_free(channel); return NULL; @@ -1659,7 +1671,7 @@ SilcChannelEntry silc_client_add_channel(SilcClient client, SILC_STRING_UTF8, 256, NULL); if (!channel_namec) { silc_rwlock_free(channel->internal.lock); - silc_atomic_uninit16(&channel->internal.refcnt); + silc_atomic_uninit32(&channel->internal.refcnt); silc_free(channel->channel_name); silc_hash_table_free(channel->user_list); silc_free(channel); @@ -1672,7 +1684,7 @@ SilcChannelEntry silc_client_add_channel(SilcClient client, if (!silc_idcache_add(conn->internal->channel_cache, channel_namec, &channel->id, channel)) { silc_rwlock_free(channel->internal.lock); - silc_atomic_uninit16(&channel->internal.refcnt); + silc_atomic_uninit32(&channel->internal.refcnt); silc_free(channel_namec); silc_free(channel->channel_name); silc_hash_table_free(channel->user_list); @@ -1694,67 +1706,18 @@ SilcChannelEntry silc_client_add_channel(SilcClient client, SilcBool silc_client_del_channel(SilcClient client, SilcClientConnection conn, SilcChannelEntry channel) { - SilcIDCacheEntry id_cache; - SilcBool ret = TRUE; - SilcCipher key; - SilcHmac hmac; - char *namec; - if (!channel) return FALSE; - if (silc_atomic_sub_int16(&channel->internal.refcnt, 1) > 0) + if (silc_atomic_sub_int32(&channel->internal.deleted, 1) > 0) + { + SILC_LOG_DEBUG(("** WARNING ** Deleting a channel twice %p", channel)); +// asm("int3"); return FALSE; - - SILC_LOG_DEBUG(("Deleting channel %p", channel)); - - silc_mutex_lock(conn->internal->lock); - if (silc_idcache_find_by_context(conn->internal->channel_cache, channel, - &id_cache)) { - namec = id_cache->name; - ret = silc_idcache_del_by_context(conn->internal->channel_cache, - channel, NULL); - silc_free(namec); } - silc_mutex_unlock(conn->internal->lock); - if (!ret) - return FALSE; - - silc_client_empty_channel(client, conn, channel); - silc_client_del_channel_private_keys(client, conn, channel); - silc_hash_table_free(channel->user_list); - silc_free(channel->channel_name); - silc_free(channel->topic); - if (channel->founder_key) - silc_pkcs_public_key_free(channel->founder_key); - if (channel->internal.send_key) - silc_cipher_free(channel->internal.send_key); - if (channel->internal.receive_key) - silc_cipher_free(channel->internal.receive_key); - if (channel->internal.hmac) - silc_hmac_free(channel->internal.hmac); - if (channel->internal.old_channel_keys) { - silc_dlist_start(channel->internal.old_channel_keys); - while ((key = silc_dlist_get(channel->internal.old_channel_keys))) - silc_cipher_free(key); - silc_dlist_uninit(channel->internal.old_channel_keys); - } - if (channel->internal.old_hmacs) { - silc_dlist_start(channel->internal.old_hmacs); - while ((hmac = silc_dlist_get(channel->internal.old_hmacs))) - silc_hmac_free(hmac); - silc_dlist_uninit(channel->internal.old_hmacs); - } - if (channel->channel_pubkeys) - silc_argument_list_free(channel->channel_pubkeys, - SILC_ARGUMENT_PUBLIC_KEY); - silc_atomic_uninit16(&channel->internal.refcnt); - silc_rwlock_free(channel->internal.lock); - silc_schedule_task_del_by_context(conn->client->schedule, channel); - silc_free(channel); - - return ret; + silc_client_unref_channel(client, conn, channel); + return TRUE; } /* Replaces the channel ID of the `channel' to `new_id'. Returns FALSE @@ -1806,10 +1769,10 @@ SilcChannelEntry silc_client_ref_channel(SilcClient client, SilcClientConnection conn, SilcChannelEntry channel_entry) { - silc_atomic_add_int16(&channel_entry->internal.refcnt, 1); + silc_atomic_add_int32(&channel_entry->internal.refcnt, 1); SILC_LOG_DEBUG(("Channel %p refcnt %d->%d", channel_entry, - silc_atomic_get_int16(&channel_entry->internal.refcnt) - 1, - silc_atomic_get_int16(&channel_entry->internal.refcnt))); + silc_atomic_get_int32(&channel_entry->internal.refcnt) - 1, + silc_atomic_get_int32(&channel_entry->internal.refcnt))); return channel_entry; } @@ -1819,11 +1782,68 @@ void silc_client_unref_channel(SilcClient client, SilcClientConnection conn, SilcChannelEntry channel_entry) { if (channel_entry) { + SilcIDCacheEntry id_cache; + SilcBool ret = TRUE; + SilcCipher key; + SilcHmac hmac; + char *namec; + SILC_LOG_DEBUG(("Channel %p refcnt %d->%d", channel_entry, - silc_atomic_get_int16(&channel_entry->internal.refcnt), - silc_atomic_get_int16(&channel_entry->internal.refcnt) + silc_atomic_get_int32(&channel_entry->internal.refcnt), + silc_atomic_get_int32(&channel_entry->internal.refcnt) - 1)); - silc_client_del_channel(client, conn, channel_entry); + + if (silc_atomic_sub_int32(&channel_entry->internal.refcnt, 1) > 0) + return; + + SILC_LOG_DEBUG(("Deleting channel %p", channel_entry)); + + silc_mutex_lock(conn->internal->lock); + if (silc_idcache_find_by_context(conn->internal->channel_cache, channel_entry, + &id_cache)) { + namec = id_cache->name; + ret = silc_idcache_del_by_context(conn->internal->channel_cache, + channel_entry, NULL); + silc_free(namec); + } + silc_mutex_unlock(conn->internal->lock); + + if (!ret) + return; + + silc_client_empty_channel(client, conn, channel_entry); + silc_client_del_channel_private_keys(client, conn, channel_entry); + silc_hash_table_free(channel_entry->user_list); + silc_free(channel_entry->channel_name); + silc_free(channel_entry->topic); + if (channel_entry->founder_key) + silc_pkcs_public_key_free(channel_entry->founder_key); + if (channel_entry->internal.send_key) + silc_cipher_free(channel_entry->internal.send_key); + if (channel_entry->internal.receive_key) + silc_cipher_free(channel_entry->internal.receive_key); + if (channel_entry->internal.hmac) + silc_hmac_free(channel_entry->internal.hmac); + if (channel_entry->internal.old_channel_keys) { + silc_dlist_start(channel_entry->internal.old_channel_keys); + while ((key = silc_dlist_get(channel_entry->internal.old_channel_keys))) + silc_cipher_free(key); + silc_dlist_uninit(channel_entry->internal.old_channel_keys); + } + if (channel_entry->internal.old_hmacs) { + silc_dlist_start(channel_entry->internal.old_hmacs); + while ((hmac = silc_dlist_get(channel_entry->internal.old_hmacs))) + silc_hmac_free(hmac); + silc_dlist_uninit(channel_entry->internal.old_hmacs); + } + if (channel_entry->channel_pubkeys) + silc_argument_list_free(channel_entry->channel_pubkeys, + SILC_ARGUMENT_PUBLIC_KEY); + silc_atomic_uninit32(&channel_entry->internal.deleted); + silc_atomic_uninit32(&channel_entry->internal.refcnt); + silc_rwlock_free(channel_entry->internal.lock); + silc_schedule_task_del_by_context(conn->client->schedule, channel_entry); + silc_free(channel_entry); } } @@ -2059,7 +2079,7 @@ SilcServerEntry silc_client_add_server(SilcClient client, return NULL; silc_rwlock_alloc(&server_entry->internal.lock); - silc_atomic_init8(&server_entry->internal.refcnt, 0); + silc_atomic_init32(&server_entry->internal.refcnt, 0); server_entry->id = *server_id; if (server_name) server_entry->server_name = strdup(server_name); @@ -2111,7 +2131,7 @@ SilcBool silc_client_del_server(SilcClient client, SilcClientConnection conn, if (!server) return FALSE; - if (silc_atomic_sub_int8(&server->internal.refcnt, 1) > 0) + if (silc_atomic_sub_int32(&server->internal.refcnt, 1) > 0) return FALSE; SILC_LOG_DEBUG(("Deleting server %p", server)); @@ -2130,7 +2150,7 @@ SilcBool silc_client_del_server(SilcClient client, SilcClientConnection conn, silc_free(server->server_info); if (server->public_key) silc_pkcs_public_key_free(server->public_key); - silc_atomic_uninit8(&server->internal.refcnt); + silc_atomic_uninit32(&server->internal.refcnt); silc_rwlock_free(server->internal.lock); silc_free(server); @@ -2198,10 +2218,10 @@ SilcServerEntry silc_client_ref_server(SilcClient client, SilcClientConnection conn, SilcServerEntry server_entry) { - silc_atomic_add_int8(&server_entry->internal.refcnt, 1); + silc_atomic_add_int32(&server_entry->internal.refcnt, 1); SILC_LOG_DEBUG(("Server %p refcnt %d->%d", server_entry, - silc_atomic_get_int8(&server_entry->internal.refcnt) - 1, - silc_atomic_get_int8(&server_entry->internal.refcnt))); + silc_atomic_get_int32(&server_entry->internal.refcnt) - 1, + silc_atomic_get_int32(&server_entry->internal.refcnt))); return server_entry; } @@ -2212,8 +2232,8 @@ void silc_client_unref_server(SilcClient client, SilcClientConnection conn, { if (server_entry) { SILC_LOG_DEBUG(("Server %p refcnt %d->%d", server_entry, - silc_atomic_get_int8(&server_entry->internal.refcnt), - silc_atomic_get_int8(&server_entry->internal.refcnt) + silc_atomic_get_int32(&server_entry->internal.refcnt), + silc_atomic_get_int32(&server_entry->internal.refcnt) - 1)); silc_client_del_server(client, conn, server_entry); } diff --git a/lib/silcclient/client_internal.h b/lib/silcclient/client_internal.h index 8b48e733..54582e20 100644 --- a/lib/silcclient/client_internal.h +++ b/lib/silcclient/client_internal.h @@ -108,7 +108,7 @@ struct SilcClientInternalStruct { char *silc_client_version; /* Version set by application */ SilcClientRunning running; /* Running/Stopped callback */ void *running_context; /* Context for runnign callback */ - SilcAtomic16 conns; /* Number of connections in client */ + SilcAtomic32 conns; /* Number of connections in client */ SilcUInt16 next_session_id; /* Next FTP session ID */ /* Events */