lwip uses already freed connection object #366

cproc · 2012-09-19T20:50:59Z

When running the 'lighttpd' test on Genode/Linux, the TCP/IP thread in the 'lighttpd' program often crashes after a while on my machine when running the Apache benchmark tool from another terminal:

ab -n 10000 -c 150 <IP address of lighttpd server>/index.html

GDB output for the TCP/IP thread:

Program received signal SIGSEGV, Segmentation fault.
0x000000007cfc80b6 in ?? ()
(gdb) bt
#0  0x000000007cfc80b6 in ?? ()
#1  0x00000000011a9f79 in err_tcp (arg=0x2afba8b57534, err=-10 '\366') at /home/christian/projects/genode/genode/libports/contrib/lwip-STABLE-1_4_1-RC1/src/api/api_msg.c:369
#2  0x00000000011c16ea in tcp_abandon (pcb=0x2afba8afc304, reset=1) at /home/christian/projects/genode/genode/libports/contrib/lwip-STABLE-1_4_1-RC1/src/core/tcp.c:398
#3  0x00000000011c1709 in tcp_abort (pcb=0x2afba8afc304) at /home/christian/projects/genode/genode/libports/contrib/lwip-STABLE-1_4_1-RC1/src/core/tcp.c:415
#4  0x00000000011c48ac in tcp_process (pcb=0x2afba8afc304) at /home/christian/projects/genode/genode/libports/contrib/lwip-STABLE-1_4_1-RC1/src/core/tcp_in.c:700
#5  0x00000000011c3c10 in tcp_input (p=0x2afba8c476c4, inp=0x11d96a0) at /home/christian/projects/genode/genode/libports/contrib/lwip-STABLE-1_4_1-RC1/src/core/tcp_in.c:304
#6  0x00000000011b1e37 in ip_input (p=0x2afba8c476c4, inp=0x11d96a0) at /home/christian/projects/genode/genode/libports/contrib/lwip-STABLE-1_4_1-RC1/src/core/ipv4/ip.c:559
#7  0x00000000011b0f81 in ethernet_input (p=0x2afba8c476c4, netif=0x11d96a0) at /home/christian/projects/genode/genode/libports/contrib/lwip-STABLE-1_4_1-RC1/src/netif/etharp.c:1363
#8  0x00000000011c8a92 in tcpip_thread (arg=0x0) at /home/christian/projects/genode/genode/libports/contrib/lwip-STABLE-1_4_1-RC1/src/api/tcpip.c:103
#9  0x00000000011bff01 in Lwip::Lwip_thread::entry (this=0x2afba8aa6220) at /home/christian/projects/genode/genode/libports/src/lib/lwip/include/thread.h:39
#10 0x0000000050051646 in thread_start () at /home/christian/projects/genode/genode/base-linux/src/base/thread/thread_linux.cc:48
#11 0x0000000050050b60 in thread_start () at /home/christian/projects/genode/genode/base-linux/../base-linux/src/platform/x86_64/lx_clone.S:59

Some added log output shows that the 'err_tcp()' function is using a pointer to a 'netconn' object which has already been freed before in the 'accept_function()' function, which got called from the 'tcp_process()' function before the 'tcp_abort()' function got called:

--- tcp_process() in tcp_in.c ---
...
printf("tcp_process(): calling TCP_EVENT_ACCEPT()\n");
        /* Call the accept function. */
        TCP_EVENT_ACCEPT(pcb, ERR_OK, err);
        if (err != ERR_OK) {
          /* If the accept function returns with an error, we abort
           * the connection. */
          /* Already aborted? */
          if (err != ERR_ABRT) {
printf("tcp_process(): TCP_EVENT_ACCEPT() returned with error, calling tcp_abort()\n");
            tcp_abort(pcb);
          }
          return ERR_ABRT;
        }

(The GDB output above and the following log messages are from different runs and therefore show different connection and callback addresses)

[init -> lighttpd] tcp_process(): calling TCP_EVENT_ACCEPT()
[init -> lighttpd] accept_function(): calling netconn_alloc()
[init -> lighttpd] netconn_alloc(): conn = 0x2b0ed098f0ac
[init -> lighttpd] accept_function(): calling sys_mbox_trypost(0x2b0ed098f0ac)
[init -> lighttpd] [0x400ffc58/17387] Overflow exception!
[init -> lighttpd] accept_function(): sys_mbox_trypost(0x2b0ed098f0ac) failed
[init -> lighttpd] accept_function(): freeing netconn 0x2b0ed098f0ac
[init -> lighttpd] netconn_free(0x2b0ed098f0ac)
[init -> lighttpd] tcp_process(): TCP_EVENT_ACCEPT() returned with error, calling tcp_abort()
[init -> lighttpd] tcp_abandon(): connection = 0x2b0ed098f0ac, callback = 0x11be72c
[init -> lighttpd] tcp_abandon(): connection = 0x2b0ed098f0ac, callback = 0x11be72c
[init -> lighttpd] tcp_abandon(): connection = 0x2b0ed098f0ac, callback = 0x11be72c
[init -> lighttpd] tcp_abandon(): connection = 0x2b0ed098f0ac, callback = 0x330080b6
[init -> lighttpd] tcp_abandon(): connection = 0x2b0ed098f0ac, callback = 0x330080b6
[init -> lighttpd] err_tcp(): conn = 0x2b0ed098f0ac, callback = 0x330080b6

The connection object gets freed and the memory it occupied gets overwritten shortly after by a different thread, changing the 'callback' pointer to some random value which gets then called from 'err_tcp()'.

The text was updated successfully, but these errors were encountered:

chelmuth · 2012-09-20T07:12:34Z

@cproc if this a problem with the lwIP contrib sources, it may be a good idea to contact the developers via the mailing list.

cproc · 2012-09-20T09:17:01Z

I created a bug report at https://savannah.nongnu.org/bugs/index.php?37405 now.

cproc · 2012-11-05T12:48:45Z

The bug got fixed in the STABLE-1_4_1 lwip version.

Fixes genodelabs#366.

ghost assigned cproc Nov 2, 2012

cproc added a commit to cproc/genode that referenced this issue Nov 5, 2012

Update lwip to version STABLE-1_4_1

7e8e828

Fixes genodelabs#366.

cproc closed this as completed in cb8910b Nov 7, 2012

cproc added a commit to cproc/genode that referenced this issue May 12, 2014

Update lwip to version STABLE-1_4_1

1d8c188

Fixes genodelabs#366.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

lwip uses already freed connection object #366

lwip uses already freed connection object #366

cproc commented Sep 19, 2012

chelmuth commented Sep 20, 2012

cproc commented Sep 20, 2012

cproc commented Nov 5, 2012

lwip uses already freed connection object #366

lwip uses already freed connection object #366

Comments

cproc commented Sep 19, 2012

chelmuth commented Sep 20, 2012

cproc commented Sep 20, 2012

cproc commented Nov 5, 2012