rx-protect-queue-during-debug-20040601

FIXES 4811

"in rx_packet.c:rxi_ReceiveDebugPacket() the rx_idleServerQueue is
scanned without taking a lock first.

The queue_Remove macro zeroes the ->next field (luckily), but this can
lead to a crash when Murphy strikes and the entry gets removed during
the scan: queue_Scan will dereference 0x0 -> next.
"

diff --git a/src/rx/rx_packet.c b/src/rx/rx_packet.c
index 12822bf..682af93 100644 (file)
--- a/src/rx/rx_packet.c
+++ b/src/rx/rx_packet.c
@@ -1154,6 +1154,7 @@ rxi_ReceiveDebugPacket(register struct rx_packet *ap, osi_socket asocket,
 #ifndef        RX_ENABLE_LOCKS
            tstat.waitingForPackets = rx_waitingForPackets;
 #endif
+           MUTEX_ENTER(&rx_serverPool_lock);
            tstat.nFreePackets = htonl(rx_nFreePackets);
            tstat.callsExecuted = htonl(rxi_nCalls);
            tstat.packetReclaims = htonl(rx_packetReclaims);
@@ -1161,6 +1162,7 @@ rxi_ReceiveDebugPacket(register struct rx_packet *ap, osi_socket asocket,
            tstat.nWaiting = htonl(rx_nWaiting);
            queue_Count(&rx_idleServerQueue, np, nqe, rx_serverQueueEntry,
                        tstat.idleThreads);
+           MUTEX_EXIT(&rx_serverPool_lock);
            tstat.idleThreads = htonl(tstat.idleThreads);
            tl = sizeof(struct rx_debugStats) - ap->length;
            if (tl > 0)