Closed vicencb closed 2 years ago
Hello @vicencb!
I see your point and did some mbusd stress testing with concurrent client connections opening/closing, but still can't get a segfault.
Could you provide some steps to reproduce the problem in practice?
Hello @3cky, dereferencing a pointer to freed memory is undefined behavior. In my case this behavior showed up as a segmentation fault, your case is different probably because of different compiler or other involved parts.
You can still see the issue by compiling the program with -fsanitize=address
which is supported by both gcc
and clang
or else you can run mbusd
with valgrind
.
In order to test it, there is no need to use concurrent connections. Just do one TCP connection and then disconnect it.
@3cky the logic is sound on this request!
Valgrind did the trick. I was able to reproduce the use-after-free behavior and I confirm that this PR fixes it.
LGTM, will merge. Thanks!
When there is a single item in the
queue
,queue_next_elem
returns that same and only item, so, in the functionconn_close
,nextconn
isconn
. Afterwards,conn
is deleted, which is alsonextconn
, so,conn_close
returns a pointer to a freed connection. This patch sets the return value ofconn_close
toNULL
when there are no more connections.