Fix: use after free of a relayd stream
authorDavid Goulet <dgoulet@efficios.com>
Wed, 2 Apr 2014 14:31:34 +0000 (10:31 -0400)
committerDavid Goulet <dgoulet@efficios.com>
Wed, 2 Apr 2014 14:31:34 +0000 (10:31 -0400)
commitcd2ef1ef1d54ced9e4d0d03b865bb7fc6a905f80
tree82e4e510a8e2581df2f1ea19fbce7a4b58d186ee
parent8cf93def79a257058bdf3a25843e0627707a18bd
Fix: use after free of a relayd stream

A race could occur with a stream destruction and a control connection
being destroyed emptying its recv_list. A freed stream could still be in
the list thus having a use after free during the connection destroy.

That was triggering undefined behavior from infinite looping to
segmentation faults.

We've observed this issue on high load stress test. A relayd received
all the stream but NOT the streams sent command which empty the list.
This can happen if a start tracing never occured or failed on the
application side thus the close stream command is sent to the relayd
freeing the stream before it is removed from that list.

Signed-off-by: David Goulet <dgoulet@efficios.com>
src/bin/lttng-relayd/connection.h
src/bin/lttng-relayd/main.c
This page took 0.033485 seconds and 4 git commands to generate.