Quantcast
Channel: Forums - Recent Threads
Viewing all articles
Browse latest Browse all 262198

NDK race condition/improper locking

$
0
0

We are using ndk 2_22_00_06.

When the dhcp client cannot renew the IP address until the end of the leasetime, it will try to close all open sockets before requesting a new IP address (in netsrv.c:291). When this is done llEnter is never called, so when llExit gets called in fdint_waitevent (file.c:194) we get an error ("Illegal call to llExit()").

If we add llEnter and llExit calls around the SockCleanPcb calls in netsrv.c:291, it still does not fix every problem.

In this case while the dhcp client is trying to close all open sockets, the application may preempt the dhcp client and close one of the sockets (due to an fdClose call application)- in this case when the dhcp client gets to actually closing the same tcp socket we get double free errors. The application can preempt the dhcp client for example - there may be other places - after the llExit call in fdint_waitevent (file.c:194, it gets called when closing a socket) - in the end what we observe is that TcpPrDetach (in tcpprot.c:94) is called twice on the same socket, first from the application, then from the dhcp client, leading to double free errors.

Here is what we see in the debugger when the error happens:
[ARM9_0] 01115.103 Illegal call to llExit()
[ARM9_0] 01135.105 mmFree: Double Free
[ARM9_0] 01135.107 mmFree: Double Free
[ARM9_0] 01135.109 mmBulkFree: Corrupted mem or bad ptr (c04e6520)
[ARM9_0] 01135.111 mmFree: Double Free
[ARM9_0] 01135.113 mmFree: Double Free


Viewing all articles
Browse latest Browse all 262198

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>