Opened 5 years ago

Closed 5 years ago

#14554 closed defect (fixed)

Possible infinite loop on pipe_drain()

Reported by: dgoulet Owned by:
Priority: High Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version: Tor: 0.2.6.2-alpha
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In src/common/compat_threads.c, there is this function:

static int
pipe_drain(int fd)
{
  char buf[32];
  ssize_t r;
  while ((r = read_ni(fd, buf, sizeof(buf))) >= 0)
    ;
  if (r == 0 || errno != EAGAIN)
    return -1;
  return 0;
}

This one will end up in an infinite loop because read() returns 0 when EOF. Furthermore, if let say we get out of this loop somehow, errno == SUCCESS will return -1. Even if the fd is in non blocking mode, if the fd is drained, the last read() will return 0 non stop (I tested it here with two threads).

I'm coming up with a fix asap that use a safer read() wrapper.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by dgoulet

sock_drain() suffers from the same issue also. Will be fixed in the upcoming branch.

comment:2 Changed 5 years ago by dgoulet

Status: newneeds_review

Branch bug14554_026_v1 contains the fix.

comment:3 Changed 5 years ago by dgoulet

Resolution: fixed
Status: needs_reviewclosed
Note: See TracTickets for help on using tickets.