Opened 2 months ago

Closed 2 months ago

#2172 closed defect (fixed)

Crash due to double reference decrements in timer

Reported by: nanang Owned by: bennylp
Priority: normal Milestone: release-2.9
Component: pjlib Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

The cancel() inside cancel_timer() returns zero when a timer entry is invalid or its expiration callback is being invoked (as the entry is removed already). Unfortunately the cancel_timer() does not check the count returned by cancel() and always proceed further with pj_grp_lock_dec_ref().

This is a bad news if at the same time the entry callback is being invoked by pj_timer_heap_poll() as pj_grp_lock_dec_ref() will be called after the callback returns. Note that the pj_grp_lock_dec_ref() may cause group lock ref count reaching zero, where all member objects of the group lock will invoke their destructors (usually freeing up any memory allocations), so the next pj_grp_lock_dec_ref() will access invalid/freed memory address.

Thanks Keerthi Kumar Thovi for the report and the analysis.

Change History (1)

comment:1 Changed 2 months ago by nanang

  • Resolution set to fixed
  • Status changed from new to closed

In 5927:

Fixed #2172: Avoid double reference counter decrements in timer in the scenario of race condition between pj_timer_heap_cancel() and pj_timer_heap_poll().

Note: See TracTickets for help on using tickets.