[Spread-users] bug fix in sp.c
John Schultz
jschultz at d-fusion.net
Mon Jun 9 09:54:43 EDT 2003
I was perusing sp.c for something else and I think I noticed a bug.
In the following code from SP_scat_receive, if an invalid user scatter
is detected and DROP_RECV was requested, then the function immediately
returns ILLEGAL_MESSAGE.
At that point the header of the msg has been read off of the socket, but
what about the body? It seems the body is left on the socket to be read
off (incorrectly) by the next call to receive as a message header.
<snip from sp.c SP_scat_receive()>
/* Validate user's scatter */
for( max_mess_len = 0, i=0; i < scat_mess->num_elements; i++ ) {
if ( scat_mess->elements[i].len < 0 ) {
if ( !drop_semantics && !This_session_message_saved) {
Mutex_lock( &Struct_mutex );
ses = SP_get_session( mbox );
if( ses < 0 ){
Mutex_unlock( &Struct_mutex );
Mutex_unlock( &Mbox_mutex[mbox & MAX_MUTEX_MASK][1] );
return( ILLEGAL_SESSION );
}
memcpy(&(Sessions[ses].recv_saved_head), &mess_head,
sizeof(message_header) );
Sessions[ses].recv_message_saved = 1;
Mutex_unlock( &Struct_mutex );
}
return( ILLEGAL_MESSAGE );
}
max_mess_len += scat_mess->elements[i].len;
}
</snip>
I suggest the simple fix of moving the scatter validation to the very
top of the fcn: before you grab any mutexes or anything.
/* Validate user's scatter */
if (scat_mess->num_elements < 0) {
return (ILLEGAL_MESSAGE);
}
for( max_mess_len = 0, i=0; i < scat_mess->num_elements; i++ ) {
if ( scat_mess->elements[i].len < 0 ) {
return( ILLEGAL_MESSAGE );
}
max_mess_len += scat_mess->elements[i].len;
}
--
John Schultz
Co-Founder, Lead Engineer
D-Fusion, Inc. (http://www.d-fusion.net)
Phn: 443-838-2200 Fax: 707-885-1055
More information about the Spread-users
mailing list