[Libwebsockets] [libwebsockets] #28: Crash due to file descriptor being accessed from union storing header data

Trac trac at libwebsockets.org
Sat May 4 16:34:34 CEST 2013


#28: Crash due to file descriptor being accessed from union storing header data
------------------------------------+--------------------------------
  Reporter:  simonwulf              |      Owner:  agreen
      Type:  defect                 |     Status:  new
  Priority:  critical               |  Milestone:
 Component:  libwebsockets library  |    Version:
Resolution:                         |   Keywords:  server union crash
------------------------------------+--------------------------------

Comment (by simonwulf):

 I think I found the problem!

 I did some digging and debugging and noticed that the condition of the if
 statement on line 976 in libwebsockets.c always evaluated to false after
 the client had been closed, with pollfd->revents being set to 2 (only the
 POLLHUP bit set right?).

 {{{
 if ((!pollfd->revents & POLLIN) &&
     (pollfd->revents & (POLLERR | POLLHUP))) {

     lwsl_debug("Session Socket %p (fd=%d) dead\n",
         (void *)wsi, pollfd->fd);

     goto close_and_handled;
 }
 }}}

 This did not seem like the expected behaviour, so I tried enclosing
 "pollfd->revents & POLLIN" in parentheses, as you want to check if the
 POLLIN bit is not set right? After that, the test server seems to be
 behaving as expected (except for a crash at shutdown caused by trying to
 close a bad http file descriptor, but that's probably unrelated to this
 problem, right?).

 As it turns out, without the parentheses, the unary ! operator is
 evaluated first, giving the left side of the binary & a value of 0. Must
 be a difference in the order of operations between our compilers.

-- 
Ticket URL: <http://libwebsockets.org/trac/ticket/28#comment:12>
libwebsockets <http://libwebsockets.org>
libwebsockets C library



More information about the Libwebsockets mailing list