Closed
Bug 278434
Opened 20 years ago
Closed 19 years ago
JSS exceptions can cause crash in socketClose
Categories
(JSS Graveyard :: Library, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 282732
People
(Reporter: saul.edwards.bugs, Assigned: glenbeasley)
Details
Attachments
(1 file, 2 obsolete files)
|
3.77 KB,
patch
|
Details | Diff | Splinter Review |
The native getException call in JSS has appeared in several crashes over the past year, i.e.: --- called from signal handler with signal 10 (SIGBUS) --- f994f2f8 JSS_SSL_getException (6567696f, ac8d0, fbed9f78, f9978964, 0, 1) + 30 f994f004 JSS_SSL_processExceptions (5705bc, 6567696f, f9978958, f9978964, e007f884, 5b) + 1c4 f994e4dc Java_org_mozilla_jss_ssl_SocketBase_socketClose (5705bc, e007f94c, 0, 5b, 18, 15) + dc f9f941cc ???????? (ee218840, e007f88c, 0, 2a, ed8df668, ed8df668) ... Looking at the code in the close method, this is probably happening because the jSockPriv pointer is not set to null after the socket is closed with PR_Close. Therefore, getException will try to dereference the pointer to get the exception member of the structure. This will crash since PR_Close has already freed the structure.
|
Reporter | |
Updated•20 years ago
|
Status: NEW → ASSIGNED
|
|
Reporter | |
Comment 1•20 years ago
|
||
Attachment #174509 -
Flags: superreview?(wtchang)
Attachment #174509 -
Flags: review?(glen.beasley)
|
Assignee | |
Comment 2•20 years ago
|
||
Comment on attachment 174509 [details] [diff] [review] Null jSockPriv, check NULL pointers in getException In setException if priv is equal to NULL then you also need to protect priv->exception = excep. priv is a PRFilePrivate stucture, it get created py PR_NEW see: http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/ssl/javasoc k.c#978 Which means we need to free this structure before we NULL it in the close.
Attachment #174509 -
Flags: review?(glen.beasley) → review-
|
||
Updated•20 years ago
|
Assignee: saul.edwards.bugs → glen.beasley
Status: ASSIGNED → NEW
|
|
Assignee | |
Comment 3•20 years ago
|
||
added null pointer checks in getException and setException change socket.close to mark socket as closed and to free all resouces of the socket. The actual socket will get freed when releaseNativeResources gets called by the jvm or a call to System.runFinalization(); or System.gc();
Attachment #174509 -
Attachment is obsolete: true
Attachment #174695 -
Flags: superreview?(wtchang)
Attachment #174695 -
Flags: review?(saul.edwards.bugs)
|
|
Assignee | |
Comment 4•20 years ago
|
||
Attachment #174695 -
Attachment is obsolete: true
Attachment #174716 -
Flags: superreview?(wtchang)
Attachment #174716 -
Flags: review?(saul.edwards.bugs)
|
||
Comment 5•19 years ago
|
||
Comment on attachment 174716 [details] [diff] [review] added more comments and assert on jsockPriv >+void JSSL_DestroySocketResources(JNIEnv *env, JSSL_SocketData *sd) Should this new function be static? >+ /*do not free sd->Object here since the socket still exists as closed*/ Should that be sd->socketObject? > if( sd->clientCertSlot != NULL ) { > PK11_FreeSlot(sd->clientCertSlot); >+ sd->clientCertSelectionCallback = NULL; >+ } Should that be "sd->clientCertSlot = NULL;" ? >+ if (sd->jsockPriv != NULL) { >+ /*jsockPriv should always be null in common.c layer which operates */ >+ /*on socket created by PR_NewTCPSocket() in socketCreate or */ >+ /*socketAccept; */ >+ PR_ASSERT(sd->jsockPriv != NULL ); >+ sd->jsockPriv = NULL; >+ } That PR_ASSERT is useless. It must be true because it immediately follows an if statement that guarantees it. >+void >+JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd) >+{ >+ PR_ASSERT(sd != NULL); >+ /* if user did not call Socket.Close need to releaseResources */ I'm sorry. I have trouble understanding this comment. Perhaps add a comma (,) after "Socket.Close"? > if( ! sock->closed ) { >- PR_Close(sock->fd); >- sock->closed = PR_TRUE; >- /* this may have thrown an exception */ >+ /*user is closing socket. Destroy all related memory structures*/ >+ /* related to the socket because in high load the Garbage */ >+ /* Collection may not releaseNativeResources soon enough */ >+ /* releaseNativeResource will free the actual structure */ >+ JSSL_DestroySocketResources(env, sock); > } What is "the actual structure"? I see JSSL_DestroySocketData call PR_Free on the JSSL_SocketData structure. Does releaseNativeResource(s?) call JSSL_DestroySocketData? > void > setException(JNIEnv *env, PRFilePrivate *priv, jthrowable excep) > { >- PR_ASSERT(priv->exception == NULL); >+ if (priv == NULL) { >+ return; >+ } > if( priv->exception != NULL) { > (*env)->DeleteGlobalRef(env, priv->exception); > } > priv->exception = excep; > } Is this change necessary? > jthrowable > JSS_SSL_getException(PRFilePrivate *priv) > { >- jobject retval = priv->exception; >- priv->exception = NULL; >+ jobject retval = NULL; >+ if (priv != NULL && priv->exception != NULL) { >+ retval = priv->exception; >+ priv->exception = NULL; >+ } > return retval; > } Is the "priv->exception != NULL" test necessary? Is priv->exception likely to be NULL?
|
|
||
Updated•19 years ago
|
Attachment #174509 -
Flags: superreview?(wtchang)
|
|
||
Updated•19 years ago
|
Attachment #174695 -
Flags: superreview?(wtchang)
Attachment #174695 -
Flags: review?(saul.edwards.bugs)
|
|
Assignee | |
Comment 6•19 years ago
|
||
*** This bug has been marked as a duplicate of 282732 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
|
||
Updated•19 years ago
|
Attachment #174716 -
Flags: superreview?(wtchang)
Attachment #174716 -
Flags: review?(saul.edwards.bugs)
You need to log in
before you can comment on or make changes to this bug.
Description
•