If pgm_recvmsgv returns PGM_IO_STATUS_RESET, the following code stores a pointer into block which is released via pgm_free_skb() call before returning to caller:
// Data loss.
if (status == PGM_IO_STATUS_RESET) {
struct pgm_sk_buff_t *skb = pgm_msgv[0].msgv_skb[0];
// Save lost data TSI.
>>> *tsi_ = &skb->tsi;
nbytes_rec = 0;
// In case of dala loss -1 is returned.
errno = EINVAL;
>>> pgm_free_skb (skb);
return -1;
}
If
pgm_recvmsgvreturnsPGM_IO_STATUS_RESET, the following code stores a pointer into block which is released viapgm_free_skb()call before returning to caller:https://github.com/zeromq/libzmq/blob/master/src/pgm_socket.cpp#L576-L581
This leads to some funny behavior under load at call site where
zmq::pgm_receiver_t::in_event()does peer lookup here https://github.com/zeromq/libzmq/blob/master/src/pgm_receiver.cpp#L160-L174