Use after free in handleConnection (cs104_connection.c:821) #61
Description
Hello.
Valgrind says:
==10956== Thread 5:
==10956== Invalid write of size 1
==10956== at 0x5061EA6: handleConnection (cs104_connection.c:821)
==10956== by 0x508F668: start_thread (pthread_create.c:479)
==10956== by 0x4B37322: clone (clone.S:95)
==10956== Address 0x4c5dcd0 is 496 bytes inside a block of size 552 free'd
==10956== at 0x483BA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==10956== by 0x5063C06: Memory_free (lib_memory.c:79)
==10956== by 0x50613D9: CS104_Connection_destroy (cs104_connection.c:431)
==10956== by 0x504FD02: process_meter_connection (lib.c:972)
==10956== by 0x504FE1C: iec_104_fetch_thread (lib.c:995)
==10956== by 0x506397B: destroyAutomaticThread (thread_linux.c:87)
==10956== by 0x508F668: start_thread (pthread_create.c:479)
==10956== by 0x4B37322: clone (clone.S:95)
==10956== Block was alloc'd at
==10956== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==10956== by 0x5063B5A: Memory_malloc (lib_memory.c:44)
==10956== by 0x5060CF2: createConnection (cs104_connection.c:199)
==10956== by 0x5060E4E: CS104_Connection_create (cs104_connection.c:243)
==10956== by 0x504FD85: iec_104_fetch_thread (lib.c:984)
==10956== by 0x506397B: destroyAutomaticThread (thread_linux.c:87)
==10956== by 0x508F668: start_thread (pthread_create.c:479)
==10956== by 0x4B37322: clone (clone.S:95)
==10956==
This error may occur when connection was closed and user program set flag about this in connectionHandler() and then call CS104_Connection_destroy() on this connection fast enough.
Also, if user calls CS104_Connection_destroy() in connectionHandler() on CONNECTION_CLOSED event - following error occurs before cs104_connection.c:821 :
==13643== Thread 4:
==13643== Invalid read of size 8
==13643== at 0x12AE62: handleConnection (cs104_connection.c:817)
==13643== by 0x488B668: start_thread (pthread_create.c:479)
==13643== by 0x49C7322: clone (clone.S:95)
==13643== Address 0x4a98f28 is 488 bytes inside a block of size 552 free'd
==13643== at 0x483BA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==13643== by 0x12CBD5: Memory_free (lib_memory.c:79)
==13643== by 0x12A3A8: CS104_Connection_destroy (cs104_connection.c:431)
==13643== by 0x118CFA: connectionHandler (lib.c:675)
==13643== by 0x12AE50: handleConnection (cs104_connection.c:804)
==13643== by 0x488B668: start_thread (pthread_create.c:479)
==13643== by 0x49C7322: clone (clone.S:95)
==13643== Block was alloc'd at
==13643== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==13643== by 0x12CB29: Memory_malloc (lib_memory.c:44)
==13643== by 0x129CC1: createConnection (cs104_connection.c:199)
==13643== by 0x129E1D: CS104_Connection_create (cs104_connection.c:243)
==13643== by 0x119280: iec_104_fetch_thread (lib.c:996)
==13643== by 0x12C94A: destroyAutomaticThread (thread_linux.c:87)
==13643== by 0x488B668: start_thread (pthread_create.c:479)
==13643== by 0x49C7322: clone (clone.S:95)
So, there is 2 memory errors at once (and one of them is 1-byte memory corruption).