![[RTEMS Logo]](/images/logo.png){kind=logo}
Opened on 07/20/10 at 04:18:23
Last modified on 12/06/12 at 08:02:10
#1625 assigned defect
TFTPFS memory corruption using relative paths
| Reported by: | Angus Gratton | Owned by: | Chris Johns |
|---|---|---|---|
| Priority: | normal | Milestone: | 4.10.3 |
| Component: | fs | Version: | 4.10 |
| Severity: | normal | Keywords: | |
| Cc: | sebastian.huber@… | Blocked By: | |
| Blocking: |
Description (last modified by Gedare Bloom)
This is an issue I experienced when using 'chdir' and relative path access on TFTPFS in RTEMS 4.10.
Again, I was using a PowerPC MVME3100 but I think this is non-architecture-specific.
You may need to apply the patches submitted with Bug 1624 before you can get to this point at all (absolute path TFTPFS should be working as a prerequisite.)
To reproduce, use the attached test.c in place of network-demos/tftpTest/test.c and run the tftpTest program. You will see the initial absolute path accesses succeed, then the chdir & the first relative path access succeed, but the second relative path access will fail. You'll probably see a double-free error at this point.
The problem is that the pathloc->node_access pointer value is saved in the 'rtems_current_directory' struct, but it is also freed by the rtems_ftp_free_node_info() function. So the next TFTPFS access that uses a relative path will read unallocated memory.
I've attached a somewhat hacky patch that fixes this specific case, and helps to demonstrate the issue.
I don't think this is actually the "correct" way to fix the problem though, as it relies on each FS implementation explicitly checking if it is freeing the 'current_directory' copy of any pointers.
I think a better fix would be to implement a rtems_filesystem_dup_node_info() function for each filesystem, where the FS itself allocates new copies of any heap-allocated resources. Then the filesystem layer can call dup_node_info before writing the copy to the rtems_current_directory value, ensuring it has its own unique version of any heap-allocated resources.
I didn't have time to implement that though, sorry - need to get EPICS up and running!
Please let me know if you need me to explain anything better - the test app & patch should be more instructive than my vague rantings.
Attachments (4)
Change History (10)
Changed on 07/20/10 at 04:19:25 by Angus Gratton
| Attachment: | tftp-patch-2.diff added |
|---|
Changed on 07/20/10 at 04:20:11 by Angus Gratton
Replacement network-demos/tftpTest/test.c to demonstrate issue
comment:1 Changed on 07/20/10 at 23:43:46 by Chris Johns
| dependson: | → 1624 |
|---|---|
| Status: | new → assigned |
Changed on 11/17/10 at 21:41:53 by Angus Gratton
| Attachment: | cwd-fix.diff added |
|---|
Better demonstrative patch (see comment)
comment:2 Changed on 11/17/10 at 21:41:53 by Angus Gratton
| attachments.isobsolete: | 0 → 1 |
|---|
Changed on 10/30/12 at 03:37:12 by Angus Gratton
| Attachment: | issue1625_fix.patch added |
|---|
Fix against current 4.10 branch (tip c160bc2e97143df1015b4dc3107c133b9d9dc1d4)
comment:3 Changed on 10/30/12 at 03:37:12 by Angus Gratton
| attachments.isobsolete: | 0 → 1 |
|---|
comment:4 Changed on 12/06/12 at 08:00:56 by Sebastian Huber
| Cc: | Sebastian Huber added |
|---|
Replying to comment:4:
Created attachment 1489 [details]
Fix against current 4.10 branch (tip c160bc2e97143df1015b4dc3107c133b9d9dc1d4)
How does the change in chdir() affect other file systems?
comment:5 Changed on 12/06/12 at 08:02:10 by Sebastian Huber
| Milestone: | 4.11 → 4.10 |
|---|
comment:6 Changed on 11/22/14 at 13:53:15 by Gedare Bloom
| Description: | modified (diff) |
|---|---|
| Milestone: | 4.10 → 4.10.3 |
Demonstrative patch (hacky, see discussion)